Merge remote-tracking branch 'origin/master'

V8.13.408.2025.11.13
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-13 10:06:09 +01:00 · 2025-11-13 10:06:00 +01:00 · 2025-11-13 09:05:09 +00:00 · 2025-11-13 10:03:56 +01:00 · 2025-11-13 09:01:07 +00:00 · 2025-11-13 09:59:28 +01:00
209 changed files with 10233 additions and 2610 deletions
--- a/.archive/.0000_lib_usage.sh
+++ b/.archive/.0000_lib_usage.sh
@@ -1,142 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-#######################################
-# Usage Wrapper CISS.debian.live.builder
-# Globals:
-#   none
-# Arguments:
-#   $0: Script name
-#######################################
-usage() {
-  clear
-  cat << EOF
-$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
-$(echo -e "\e[92mMaster V8.13.142.2025.10.14\e[0m")
-$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
-
-$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
-$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
-
-"${0} <option>", where <option> is one or more of:
-
-$(echo -e "\e[97m  --help, -h\e[0m")
-    What you're looking at.
-
-$(echo -e "\e[97m  --autobuild=*, -a=*\e[0m")
-    Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
-    selector dialog. Change '*' to your desired Linux kernel and trim the
-    'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
-
-$(echo -e "\e[97m  --architecture <STRING> one of <amd64 | arm64>\e[0m")
-    A string reflecting the architecture of the Live System.
-    MUST be provided.
-
-$(echo -e "\e[97m  --build-directory </path/to/build_directory>\e[0m")
-    Where the Debian Live Build Image should be generated.
-    MUST be provided.
-
-$(echo -e "\e[97m  --change-splash <STRING> one of <club | hexagon>\e[0m")
-    A string reflecting the GRub Boot Screen Splash you want to use.
-    If omitted defaults to "./.archive/background/club.png".
-
-$(echo -e "\e[97m  --cdi (Experimental Feature)\e[0m")
-    This option generates a boot menu entry to start the forthcoming
-    'CISS.debian.installer', which will be executed after
-    the system has successfully booted up.
-
-$(echo -e "\e[97m  --contact, -c\e[0m")
-    Displays contact information of the author.
-
-$(echo -e "\e[97m  --control <INTEGER>\e[0m")
-    An integer that reflects the version of your Live ISO Image.
-    MUST be provided.
-
-$(echo -e "\e[97m  --debug\e[0m")
-    Enables debug logging for the main program routine. Detailed logging
-    information are written to "/tmp/ciss_live_builder_$$.log"
-
-$(echo -e "\e[97m  --dhcp-centurion\e[0m")
-    If a DHCP lease is provided, the provider's nameserver will be overridden,
-    and only the hardened, privacy-focused Centurion DNS servers will be used:
-      - https://dns01.eddns.eu/
-      - https://dns02.eddns.de/
-      - https://dns03.eddns.eu/
-
-$(echo -e "\e[97m  --jump-host <IP | IP | ... >\e[0m")
-    Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
-    Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
-    If provided, than it MUST be a <SPACE> separated list.
-    IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
-
-$(echo -e "\e[97m  --log-statistics-only\e[0m")
-    Provides statistic only after successful building a
-    CISS.debian.live-ISO. While enabling "--log-statistics-only"
-    the argument "--build-directory" MUST be provided while
-    all further options MUST be omitted.
-
-$(echo -e "\e[97m  --provider-netcup-ipv6\e[0m")
-    Activates IPv6 support for Netcup Root Server. One unique
-    IPv6 address MUST be provided in this case and MUST be encapsulated
-    with [], e.g., [1234::abcd].
-
-$(echo -e "\e[97m  --renice-priority <PRIORITY>\e[0m")
-    Reset the nice priority value of the script and all its children
-    to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
-    Negative (higher) values MUST be enclosed in double quotes '"'.
-
-$(echo -e "\e[97m  --reionice-priority <CLASS> <PRIORITY>\e[0m")
-    Reset the ionice priority value of the script and all its children
-    to the desired <CLASS>. MUST be an integer:
-      1: realtime
-      2: best-effort
-      3: idle
-    Defaults to '2'.
-    Whereas <PRIORITY> MUST be an integer as well between:
-      0: highest priority and
-      7: lowest priority.
-    Defaults to '4'.
-    A real-time I/O process can significantly slow down other processes
-    or even cause them to starve if it continuously requests I/O.
-
-$(echo -e "\e[97m  --root-password-file </path/to/password.txt>\e[0m")
-    Password file for 'root', if given, MUST be a string of 20 to 64 characters,
-    and MUST NOT contain the special character '"'.
-    If the argument is omitted, no further login authentication is required for
-    the local console. The root password is hashed with an 16 Byte '/dev/random'
-    generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
-    after Hash generation all Variables containing plain password fragments are
-    deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
-    further prompt after password hash has been successfully generated via:
-    'shred -vfzu 5 -f'.
-    No tracing of any plain text password fragment in any debug log.
-
-$(echo -e "\e[97m  --ssh-port <INTEGER>\e[0m")
-    The desired Port SSH should listen to.
-    If not provided defaults to Port 22.
-
-$(echo -e "\e[97m  --ssh-pubkey </path/to/.ssh/>\e[0m")
-    Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
-    specified PATH into the Live ISO. MUST be provided.
-
-$(echo -e "\e[97m  --version, -v\e[0m")
-    Displays version of ${0}.
-
-$(echo -e "\e[93m💡 Notes:\e[0m")
-🔵 You MUST be 'root' to run this script.
-
-$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
-$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/         \e[0m")
-
-EOF
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.archive/0005_tmpfile_dublette.chroot
+++ b/.archive/0005_tmpfile_dublette.chroot
@@ -1,72 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-# Purpose: Copy vendor 'legacy.conf' to '/etc/tmpfiles.d' and drop duplicate '/run/lock' lines.
-
-#######################################
-# Simple error terminal logger.
-# Arguments:
-#   None
-#######################################
-log() { printf '[tmpfiles-fix] %s\n' "$*" >&2; }
-
-### Locate vendor 'legacy.conf' (The path can vary).
-declare vendor=""
-
-for p in /usr/lib/tmpfiles.d/legacy.conf /lib/tmpfiles.d/legacy.conf; do
-
-  if [[ -f "${p}" ]]; then vendor="${p}"; break; fi
-
-done
-
-if [[ -z "${vendor}" ]]; then
-  log "WARN: vendor legacy.conf not found; creating a minimal override"
-  install -D -m 0644 /dev/null /etc/tmpfiles.d/legacy.conf
-
-else
-
-  install -D -m 0644 "${vendor}" /etc/tmpfiles.d/legacy.conf
-
-fi
-
-### Deduplicate: keep only the FIRST 'd /run/lock ' definition, drop subsequent ones.
-# shellcheck disable=SC2155
-declare tmpdir="$(mktemp -d)"
-declare out="${tmpdir}/legacy.conf"
-
-awk '
-BEGIN{seen=0}
-{
-  # Preserve everything by default
-  keep=1
-  # Match tmpfiles "d /run/lock ..." (allowing variable spacing and case of directive)
-  if ($1 ~ /^[dD]$/ && $2 == "/run/lock") {
-    if (seen==1) { keep=0 } else { seen=1 }
-  }
-  if (keep) print
-}' /etc/tmpfiles.d/legacy.conf >| "${out}"
-
-### Install the sanitized file atomically.
-install -m 0644 -o root -g root "${out}" /etc/tmpfiles.d/legacy.conf
-rm -rf -- "${tmpdir}"
-
-log "Deduplicated /etc/tmpfiles.d/legacy.conf (kept only first /run/lock entry)."
-
-command -v systemd-tmpfiles >/dev/null 2>&1 && systemd-tmpfiles --create --prefix /run/lock || true
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9985_clamav.chroot
+++ b/config/hooks/live/9985_clamav.chroot
--- a/.archive/generate_PRIVATE_trixie_0.yaml
+++ b/.archive/generate_PRIVATE_trixie_0.yaml
@@ -0,0 +1,448 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.408.2025.11.13
+
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml'
+
+jobs:
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    steps:
+      - name: 🛠️ Basic Image Setup.
+        shell: bash
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
+            curl \
+            git \
+            gnupg \
+            openssh-client \
+            openssl \
+            perl \
+            sudo \
+            util-linux
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
+
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
+          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
+          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
+          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
+
+          if [[ ! -f "${TPL}" ]]; then
+            echo "Template not found: ${TPL}"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "${REPO_ROOT}/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
+          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
+
+          (
+          cat << EOF >| "${ID_OUT}"
+          ${CISS_PRIMORDIAL}
+          EOF
+          ) && chmod 0600 "${ID_OUT}"
+          if [[ -f "${ID_OUT}" ]]; then
+            echo "Written: ${ID_OUT}"
+          else
+            echo "Error: ${ID_OUT} not written."
+          fi
+
+          (
+          cat << EOF >| "${ID_OUT_PUB}"
+          ${CISS_PRIMORDIAL_PUB}
+          EOF
+          ) && chmod 0600 "${ID_OUT_PUB}"
+          if [[ -f "${ID_OUT_PUB}" ]]; then
+            echo "Written: ${ID_OUT_PUB}"
+          else
+            echo "Error: ${ID_OUT_PUB} not written."
+          fi
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "${TPL}" > "${OUT}"
+
+          chmod 0755 "${OUT}"
+          echo "Hook rendered: ${OUT}"
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ./ciss_live_builder.sh \
+            --autobuild=6.16.3+deb13-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --cdi \
+            --control "${timestamp}" \
+            --debug \
+            --dhcp-centurion \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
+            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
+            --ssh-pubkey /opt/config \
+            --sshfp \
+            --trixie
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+          shred -fzu -n 5 /opt/config/authorized_keys
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.archive/generate_PRIVATE_trixie_1.yaml
+++ b/.archive/generate_PRIVATE_trixie_1.yaml
@@ -0,0 +1,491 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.408.2025.11.13
+
+name: 🔐 Generating a Private Live ISO TRIXIE.
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml'
+
+jobs:
+  generate-private-cdlb-trixie:
+    name: 🔐 Generating a Private Live ISO TRIXIE.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: ⏳ Waiting random time to desynchronize parallel workflows.
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🛠️ Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0077
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
+            curl \
+            git \
+            gnupg \
+            openssh-client \
+            openssl \
+            perl \
+            sudo \
+            util-linux
+
+      - name: ⚙️ Check GnuPG Version.
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set -euo pipefail
+          umask 0077
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          set -euo pipefail
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: ⚙️ Init GNUPGHOME.
+        run: |
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="/dev/shm/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}.${GITHUB_RUN_ATTEMPT}"
+          mkdir -p -m 700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}" >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+        run: |
+          set -euo pipefail
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        run: |
+          set -euo pipefail
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        run: |
+          set -euo pipefail
+          umask 0077
+          mkdir -p /opt/cdlb/secrets
+          mkdir -p /opt/cdlb/livebuild
+          install -m 0600 /dev/null /opt/cdlb/secrets/password.txt
+          install -m 0600 /dev/null /opt/cdlb/secrets/authorized_keys
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_ed25519_key.pub
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key
+          install -m 0600 /dev/null /opt/cdlb/secrets/ssh_host_rsa_key.pub
+          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
+          install -m 0600 /dev/null /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
+          install -m 0600 /dev/null /opt/cdlb/secrets/keys.txt
+          install -m 0600 /dev/null /opt/cdlb/secrets/luks.txt
+
+          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /opt/cdlb/secrets/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /opt/cdlb/secrets/authorized_keys
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /opt/cdlb/secrets/ssh_host_ed25519_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /opt/cdlb/secrets/ssh_host_ed25519_key.pub
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /opt/cdlb/secrets/ssh_host_rsa_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /opt/cdlb/secrets/ssh_host_rsa_key.pub
+          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial
+          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /opt/cdlb/secrets/id_2025_ed25519_ciss_primordial.pub
+          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /opt/cdlb/secrets/keys.txt
+          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /opt/cdlb/secrets/luks.txt
+
+
+      - name: 🔧 Render live hook with secrets.
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        env:
+          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
+          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
+          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
+          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
+          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
+          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
+          CISS_PHYS_AGE:       ${{ secrets.CISS_PHYS_AGE }}
+          MSW_GPG_DEPLOY_BOT:  ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
+        run: |
+          set -Ceuo pipefail
+          umask 077
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+
+          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
+          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
+          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
+          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
+          SOPS="${REPO_ROOT}/config/hooks/live/0860_sops.chroot"
+          BINARY_CHECKSUMS="${REPO_ROOT}/scripts/usr/lib/live/build/binary_checksums.sh"
+
+          if [[ ! -f "${TPL}" ]]; then
+            echo "Template not found: ${TPL}"
+            echo "::group::Tree of config/hooks/live"
+            ls -la "${REPO_ROOT}/config/hooks/live" || true
+            echo "::endgroup::"
+            exit 2
+          fi
+
+          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
+          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
+          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
+          export RSA_PUB="${RSA_PUB//$'\r'/}"
+          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
+          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
+          export CISS_PHYS_AGE="${CISS_PHYS_AGE//$'\r'/}"
+          export MSW_GPG_DEPLOY_BOT="${MSW_GPG_DEPLOY_BOT//$'\r'/}"
+
+          (
+          cat << EOF >| "${ID_OUT}"
+          ${CISS_PRIMORDIAL}
+          EOF
+          ) && chmod 0600 "${ID_OUT}"
+          if [[ -f "${ID_OUT}" ]]; then
+            echo "Written: ${ID_OUT}"
+          else
+            echo "Error: ${ID_OUT} not written."
+          fi
+
+          (
+          cat << EOF >| "${ID_OUT_PUB}"
+          ${CISS_PRIMORDIAL_PUB}
+          EOF
+          ) && chmod 0600 "${ID_OUT_PUB}"
+          if [[ -f "${ID_OUT_PUB}" ]]; then
+            echo "Written: ${ID_OUT_PUB}"
+          else
+            echo "Error: ${ID_OUT_PUB} not written."
+          fi
+
+          perl -0777 -pe '
+            BEGIN{
+              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
+              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
+            }
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
+            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
+          ' "${TPL}" > "${OUT}"
+
+          chmod 0755 "${OUT}"
+
+          perl -0777 -i -pe '
+            BEGIN {
+              our $age = $ENV{CISS_PHYS_AGE} // q{};
+            }
+            s/\{\{\s*secrets\.CISS_PHYS_AGE\s*\}\}/$age/g;
+          ' -- "${SOPS}"
+          chmod 0755 "${SOPS}"
+
+          perl -0777 -i -pe '
+            BEGIN {
+              our $deploy = $ENV{MSW_GPG_DEPLOY_BOT} // q{};
+            }
+            s/\{\{\s*secrets\.MSW_GPG_DEPLOY_BOT\s*\}\}/$deploy/g;
+          ' -- "${BINARY_CHECKSUMS}"
+          chmod 0755 "${BINARY_CHECKSUMS}"
+
+          echo "Hook rendered: ${OUT}"
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        working-directory: ${{ github.workspace }}
+        run: |
+          set -euo pipefail
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ./ciss_live_builder.sh \
+            --autobuild=6.16.3+deb13-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/cdlb/livebuild \
+            --cdi \
+            --control "${timestamp}" \
+            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
+            --root-password-file /opt/cdlb/secrets/password.txt \
+            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
+            --ssh-pubkey /opt/cdlb/secrets \
+            --sshfp \
+            --trixie
+
+          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
+          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
+          rm -f "$OUT"
+          echo "Hook removed: $OUT"
+          shred -fzu -n 5 /opt/cdlb/secrets/authorized_keys
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/cdlb/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.archive/generate_PUBLIC_iso.yaml
+++ b/.archive/generate_PUBLIC_iso.yaml
@@ -0,0 +1,366 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Version Master V8.13.408.2025.11.13
+
+name: 💙 Generating a PUBLIC Live ISO.
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - '.gitea/trigger/t_generate_PUBLIC.yaml'
+
+jobs:
+  generate-public-cdlb-trixie:
+    name: 💙 Generating a PUBLIC Live ISO.
+    runs-on: cdlb.trixie
+
+    container:
+      image: debian:trixie
+
+    steps:
+      - name: 🛠️ Basic Image Setup.
+        shell: bash
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get upgrade -y
+          apt-get install -y --no-install-recommends \
+            apt-utils \
+            bash \
+            ca-certificates \
+            curl \
+            git \
+            gnupg \
+            openssh-client \
+            openssl \
+            perl \
+            sudo \
+            util-linux
+
+      - name: ⚙️ Check GnuPG Version.
+        shell: bash
+        run: |
+          gpg --version
+
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        shell: bash
+        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+
+          ### Private Key
+          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
+          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts
+
+          ### Generate SSH Config for git.coresecret.dev Custom-Port
+          cat <<EOF >| ~/.ssh/config
+          Host git.coresecret.dev
+            HostName git.coresecret.dev
+            Port 42842
+            IdentityFile ~/.ssh/id_ed25519
+            StrictHostKeyChecking yes
+            UserKnownHostsFile ~/.ssh/known_hosts
+          EOF
+          chmod 0600 ~/.ssh/config
+
+      ### https://github.com/actions/checkout/issues/1843
+      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
+        shell: bash
+        env:
+          ### GITHUB_REF_NAME contains the branch name from the push event.
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: |
+          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
+          git fetch --unshallow || echo "Nothing to fetch - already full clone."
+
+      - name: 🛠️ Cleaning the workspace.
+        shell: bash
+        run: |
+          git reset --hard
+          git clean -fd
+
+      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
+        shell: bash
+        run: |
+          set -euo pipefail
+          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
+          export GNUPGHOME="$(pwd)/.gnupg"
+          mkdir -m 700 "${GNUPGHOME}"
+          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
+          gpg --batch --import centurion-root.PUB.asc
+          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
+          gpg --batch --import ci-bot.sec.asc
+          ### Trust the key automatically
+          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
+          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+
+      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
+        shell: bash
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+          git config user.name "Marc S. Weidner BOT"
+          git config user.email "msw+bot@coresecret.dev"
+          git config commit.gpgsign true
+          git config gpg.program gpg
+          git config gpg.format openpgp
+
+      - name: ⚙️ Preparing the build environment.
+        shell: bash
+        run: |
+          set -euo pipefail
+          mkdir -p /opt/config
+          mkdir -p /opt/livebuild
+          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
+          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
+
+      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
+        shell: bash
+        run: |
+          set -euo pipefail
+          sed -i '/^hardening_ssh_tcp.*/d' ciss_live_builder.sh
+          chmod 0755 ciss_live_builder.sh
+          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
+          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ./ciss_live_builder.sh \
+            --autobuild=6.16.3+deb13-amd64 \
+            --architecture amd64 \
+            --build-directory /opt/livebuild \
+            --cdi \
+            --control "${timestamp}" \
+            --debug \
+            --root-password-file /opt/config/password.txt \
+            --ssh-port 42137 \
+            --ssh-pubkey /opt/config \
+            --trixie
+
+      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          SHARE_SUBDIR=""
+
+          echo "📥 Get directory listing via PROPFIND ..."
+          curl -s \
+          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+          -X PROPFIND \
+          -H "Depth: 1" \
+          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+          -o propfind_public.xml
+
+          echo "📥 Filter .iso files from the PROPFIND response ..."
+          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
+
+          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+            echo "💡 Old ISO files found and deleted :"
+            while IFS= read -r href; do
+              FILE_URL="${NC_BASE}${href}"
+              echo "  Delete: ${FILE_URL}"
+              if curl -s \
+                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
+                  -X DELETE "${FILE_URL}"; then
+                echo "    ✅ Successfully deleted: $(basename "${href}")"
+              else
+                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+              fi
+            done < public_iso_list.txt
+          else
+            echo "💡 No old ISO files found to delete."
+          fi
+
+      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+        shell: bash
+        env:
+          NC_BASE: "https://cloud.e2ee.li"
+          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
+          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
+        run: |
+          set -euo pipefail
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+            echo "✅ New ISO successfully uploaded."
+          else
+            echo "❌ Uploading the new ISO failed."
+            exit 1
+          fi
+
+      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
+        shell: bash
+        run: |
+          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+            echo "❌ There must be exactly one .iso file in the directory!"
+            exit 1
+          else
+            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
+            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+          fi
+
+          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
+          touch "${VAR_ISO_FILE_SHA512}"
+          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
+          touch "${SIGNATURE_FILE}"
+          export GNUPGHOME="$(pwd)/.gnupg"
+          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          VAR_DATE="$(date +%F)"
+          PRIVATE_FILE="LIVE_ISO.public"
+          touch "${PRIVATE_FILE}"
+          cat << EOF >| "${PRIVATE_FILE}"
+          # SPDX-Version: 3.0
+          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+          # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+          # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+          # SPDX-FileType: SOURCE
+          # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+          # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+          # SPDX-PackageName: CISS.debian.live.builder
+          # SPDX-Security-Contact: security@coresecret.eu
+
+          This file was automatically generated by the DEPLOY BOT on: "${timestamp}"
+
+          CISS.debian.live.builder ISO :
+            "${VAR_ISO_FILE_NAME}"
+          CISS.debian.live.builder ISO sha512 :
+            $(< "${VAR_ISO_FILE_SHA512}")
+          CISS.debian.live.builder ISO sha512 sign :
+            $(< "${SIGNATURE_FILE}")
+
+          # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
+          EOF
+
+      - name: 🚧 Stash local changes (including untracked).
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Temporarily store any local modifications or untracked files.
+          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."
+
+      - name: 🔄 Sync with remote before commit using merge strategy.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          echo "🔄 Fetching origin/master ..."
+          git fetch origin master
+
+          echo "🔁 Merging origin/master into current branch ..."
+          git merge --no-edit origin/master || echo "✔️ Already up to date or fast-forward."
+
+          echo "📋 Post-merge status :"
+          git status
+          git log --oneline -n 5
+
+      - name: 🛠️ Restore stashed changes.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          ### Apply previously stashed changes.
+          git stash pop || echo "✔️ Nothing to pop."
+
+      - name: 📦 Stage generated files.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          PRIVATE_FILE="LIVE_ISO.public"
+          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."
+
+      - name: 🔑 Commit and sign changes with CI metadata.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          export GNUPGHOME="$(pwd)/.gnupg"
+
+          if git diff --cached --quiet; then
+            echo "✔️ No staged changes to commit."
+          else
+            echo "📝 Committing changes with GPG signature ..."
+
+            ### CI Metadata
+            TIMESTAMP_UTC="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+            HOSTNAME="$(hostname -f || hostname)"
+            GIT_SHA="$(git rev-parse --short HEAD)"
+            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
+            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"
+
+            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
+
+          ${CI_HEADER}
+
+          Generated at : ${TIMESTAMP_UTC}
+          Runner Host  : ${HOSTNAME}
+          Workflow ID  : ${WORKFLOW_ID}
+          Git Commit   : ${GIT_SHA} HEAD -> ${GIT_REF}
+          "
+
+            echo "🔏 Commit message :"
+            echo "${COMMIT_MSG}"
+            git commit -S -m "${COMMIT_MSG}"
+          fi
+
+      - name: 🔁 Push back to repository.
+        shell: bash
+        env:
+          GIT_SSH_COMMAND: "ssh -p 42842"
+        run: |
+          set -euo pipefail
+          echo "📤 Pushing changes to ${GITHUB_REF_NAME} ..."
+          git push origin HEAD:${GITHUB_REF_NAME}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.archive/icon.lib
+++ b/.archive/icon.lib
@@ -17,6 +17,10 @@
 🔑
 ✍️
 🖥️
+⬆️
+⏫
+🔼
+🆙
 🔄
 🔁
 🌌
@@ -32,6 +36,7 @@
 🧪
 📩
 📥
+📤
 📦
 📑
 📂
@@ -52,4 +57,7 @@
 ☢️
 ☣️
 •
+☁️
+📡
+🛡️
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
+++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.142.2025.10.14"
+      placeholder: "e.g., Master V8.13.408.2025.11.13"
    validations:
      required: true

--- a/.gitea/TODO/dockerfile
+++ b/.gitea/TODO/dockerfile
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.408.2025.11.13

 FROM debian:bookworm

--- a/.gitea/TODO/render-md-to-html.yaml
+++ b/.gitea/TODO/render-md-to-html.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.408.2025.11.13

 name: 🔁 Render README.md to README.html.

@@ -38,11 +38,11 @@ jobs:

          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519

          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts

          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
@@ -53,7 +53,7 @@ jobs:
            StrictHostKeyChecking yes
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config

      ### https://github.com/actions/checkout/issues/1843
      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.400.2025.11.08
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.400.2025.11.08
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_PUBLIC.yaml
+++ b/.gitea/trigger/t_generate_PUBLIC.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.400.2025.11.08
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/trigger/t_generate_dns.yaml
+++ b/.gitea/trigger/t_generate_dns.yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V8.13.142.2025.10.14
+  version: V8.13.408.2025.11.13
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -9,14 +9,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.408.2025.11.13

 name: 🔐 Generating a Private Live ISO TRIXIE.

-defaults:
-  run:
-    shell: bash
-
 permissions:
  contents: write

@@ -35,214 +31,201 @@ jobs:
    container:
      image: debian:trixie

-    steps:
-      - name: 🛠️ Basic Image Setup.
+    defaults:
+      run:
        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🔧 Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0022
+
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
+          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
+          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
+          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
+
+          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
+          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
+            bat \
            ca-certificates \
            curl \
+            debootstrap \
            git \
+            gnupg-utils \
            gnupg \
+            gpg-agent \
+            gpgv \
+            live-build \
+            lsb-release \
            openssh-client \
            openssl \
            perl \
+            pinentry-curses \
+            pinentry-tty \
            sudo \
-            util-linux
+            util-linux \
+            whois

      - name: ⚙️ Check GnuPG Version.
-        shell: bash
        run: |
          gpg --version

      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        shell: bash
        run: |
+          set +x
          set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
-          sleep "${var_wait}"
+          umask 0077

          rm -rf ~/.ssh && mkdir -m700 ~/.ssh

          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519

          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts

          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
            HostName git.coresecret.dev
-            Port 42842
            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
            StrictHostKeyChecking yes
+            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config

      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
+          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."

-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
+      - name: ⚙️ Init GNUPGHOME.
        run: |
-          git reset --hard
-          git clean -fd
+          set +x
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
+          # shellcheck disable=SC2174
+          mkdir -p -m 0700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
+          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true

      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
+          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
-          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
-          gpg --batch --import centurion-root.PUB.asc
-          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
-          gpg --batch --import ci-bot.sec.asc
-          ### Trust the key automatically
-          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
-          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV

      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
        run: |
+          set +x
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
+          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
+          git config --get user.signingkey

      - name: ⚙️ Preparing the build environment.
-        shell: bash
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          mkdir -p /dev/shm/cdlb_secrets
+
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+          echo "${{ secrets.CISS_DLB_ROOT_PWD }}"                 >| /dev/shm/cdlb_secrets/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}"          >| /dev/shm/cdlb_secrets/authorized_keys
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
+          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo "${{ secrets.CISS_DLB_ROOT_PWD }}" >| /opt/config/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY }}" >| /opt/config/authorized_keys
-
-      - name: 🔧 Render live hook with secrets.
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        env:
-          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
-          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
-          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
-          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
-          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
-          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
-        run: |
-          set -Ceuo pipefail
-          umask 077
-
-          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-
-          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
-          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
-          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
-          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
-
-          if [[ ! -f "${TPL}" ]]; then
-            echo "Template not found: ${TPL}"
-            echo "::group::Tree of config/hooks/live"
-            ls -la "${REPO_ROOT}/config/hooks/live" || true
-            echo "::endgroup::"
-            exit 2
-          fi
-
-          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
-          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
-          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
-          export RSA_PUB="${RSA_PUB//$'\r'/}"
-          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
-          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
-
-          (
-          cat << EOF >| "${ID_OUT}"
-          ${CISS_PRIMORDIAL}
-          EOF
-          ) && chmod 0600 "${ID_OUT}"
-          if [[ -f "${ID_OUT}" ]]; then
-            echo "Written: ${ID_OUT}"
-          else
-            echo "Error: ${ID_OUT} not written."
-          fi
-
-          (
-          cat << EOF >| "${ID_OUT_PUB}"
-          ${CISS_PRIMORDIAL_PUB}
-          EOF
-          ) && chmod 0600 "${ID_OUT_PUB}"
-          if [[ -f "${ID_OUT_PUB}" ]]; then
-            echo "Written: ${ID_OUT_PUB}"
-          else
-            echo "Error: ${ID_OUT_PUB} not written."
-          fi
-
-          perl -0777 -pe '
-            BEGIN{
-              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
-              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
-            }
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
-          ' "${TPL}" > "${OUT}"
-
-          chmod 0755 "${OUT}"
-          echo "Hook rendered: ${OUT}"
-
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        run: |
-          set -euo pipefail
-          chmod 0755 ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.16.3+deb13-amd64 \
+            --build-directory /opt/cdlb \
            --cdi \
            --control "${timestamp}" \
            --debug \
            --dhcp-centurion \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
+            --key_age=keys.txt \
+            --key_luks=luks.txt \
            --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
+            --signing_key_pass=signing_key_pass.txt \
+            --signing_key=signing_key.asc \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --sshfp \
            --trixie

-          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
-          rm -f "$OUT"
-          echo "Hook removed: $OUT"
-
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
        shell: bash
        env:
@@ -262,6 +245,7 @@ jobs:
          -o propfind_public.xml

          echo "📥 Filter .iso files from the PROPFIND response ..."
+
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true

          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
@@ -281,7 +265,7 @@ jobs:
            echo "💡 No old ISO files found to delete."
          fi

-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
@@ -289,11 +273,11 @@ jobs:
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
          fi
@@ -308,29 +292,35 @@ jobs:
          fi

      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
-        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
+
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
          fi

          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
+
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"

          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_0.private"
          touch "${PRIVATE_FILE}"
+
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -356,7 +346,6 @@ jobs:
          EOF

      - name: 🚧 Stash local changes (including untracked).
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -365,12 +354,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."

      - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"

          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -382,8 +369,7 @@ jobs:
          git status
          git log --oneline -n 5

-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -392,7 +378,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."

      - name: 📦 Stage generated files.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -401,16 +386,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"

          if git diff --cached --quiet; then
+
            echo "✔️ No staged changes to commit."
+
          else
+
            echo "📝 Committing changes with GPG signature ..."

            ### CI Metadata
@@ -418,7 +404,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_0.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 0 [skip ci]
@@ -434,10 +420,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
+
          fi

      - name: 🔁 Push back to repository.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -9,14 +9,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.408.2025.11.13

 name: 🔐 Generating a Private Live ISO TRIXIE.

-defaults:
-  run:
-    shell: bash
-
 permissions:
  contents: write

@@ -35,213 +31,199 @@ jobs:
    container:
      image: debian:trixie

-    steps:
-      - name: 🛠️ Basic Image Setup.
+    defaults:
+      run:
        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🔧 Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0022
+
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
+          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
+          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
+          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
+
+          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
+          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
+            bat \
            ca-certificates \
            curl \
+            debootstrap \
            git \
+            gnupg-utils \
            gnupg \
+            gpg-agent \
+            gpgv \
+            live-build \
+            lsb-release \
            openssh-client \
            openssl \
            perl \
+            pinentry-curses \
+            pinentry-tty \
            sudo \
-            util-linux
+            util-linux \
+            whois

      - name: ⚙️ Check GnuPG Version.
-        shell: bash
        run: |
          gpg --version

      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        shell: bash
        run: |
+          set +x
          set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
-          sleep "${var_wait}"
+          umask 0077

          rm -rf ~/.ssh && mkdir -m700 ~/.ssh

          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519

          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts

          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
            HostName git.coresecret.dev
-            Port 42842
            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
            StrictHostKeyChecking yes
+            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config

      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
+          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."

-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
+      - name: ⚙️ Init GNUPGHOME.
        run: |
-          git reset --hard
-          git clean -fd
+          set +x
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
+          # shellcheck disable=SC2174
+          mkdir -p -m 0700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
+          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true

      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
+          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
-          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
-          gpg --batch --import centurion-root.PUB.asc
-          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
-          gpg --batch --import ci-bot.sec.asc
-          ### Trust the key automatically
-          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
-          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV

      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
        run: |
+          set +x
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
+          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
+          git config --get user.signingkey

      - name: ⚙️ Preparing the build environment.
-        shell: bash
+        run: |
+          set +x
+          set -euo pipefail
+          umask 0077
+          mkdir -p /dev/shm/cdlb_secrets
+
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}"               >| /dev/shm/cdlb_secrets/password.txt
+          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}"        >| /dev/shm/cdlb_secrets/authorized_keys
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}"     >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}" >| /dev/shm/cdlb_secrets/ssh_host_ed25519_key.pub
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}"         >| /dev/shm/cdlb_secrets/ssh_host_rsa_key
+          echo "${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}"     >| /dev/shm/cdlb_secrets/ssh_host_rsa_key.pub
+          echo "${{ secrets.CISS_PRIMORDIAL_PRIVATE }}"           >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial
+          echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
+          echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
+          echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
+          echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
+
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo "${{ secrets.CISS_DLB_ROOT_PWD_1 }}" >| /opt/config/password.txt
-          echo "${{ secrets.CISS_DLB_ROOT_SSH_PUBKEY_1 }}" >| /opt/config/authorized_keys
-
-      - name: 🔧 Render live hook with secrets.
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        env:
-          ED25519_PRIV:        ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
-          ED25519_PUB:         ${{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
-          RSA_PRIV:            ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
-          RSA_PUB:             ${{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
-          CISS_PRIMORDIAL:     ${{ secrets.CISS_PRIMORDIAL_PRIVATE }}
-          CISS_PRIMORDIAL_PUB: ${{ secrets.CISS_PRIMORDIAL_PUBLIC }}
-        run: |
-          set -Ceuo pipefail
-          umask 077
-
-          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-
-          TPL="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot.tmpl"
-          OUT="${REPO_ROOT}/config/hooks/live/9935_hardening_ssh.chroot"
-          ID_OUT="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
-          ID_OUT_PUB="${REPO_ROOT}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
-
-          if [[ ! -f "${TPL}" ]]; then
-            echo "Template not found: ${TPL}"
-            echo "::group::Tree of config/hooks/live"
-            ls -la "${REPO_ROOT}/config/hooks/live" || true
-            echo "::endgroup::"
-            exit 2
-          fi
-
-          export ED25519_PRIV="${ED25519_PRIV//$'\r'/}"
-          export ED25519_PUB="${ED25519_PUB//$'\r'/}"
-          export RSA_PRIV="${RSA_PRIV//$'\r'/}"
-          export RSA_PUB="${RSA_PUB//$'\r'/}"
-          export CISS_PRIMORDIAL="${CISS_PRIMORDIAL//$'\r'/}"
-          export CISS_PRIMORDIAL_PUB="${CISS_PRIMORDIAL_PUB//$'\r'/}"
-
-          (
-          cat << EOF >| "${ID_OUT}"
-          ${CISS_PRIMORDIAL}
-          EOF
-          ) && chmod 0600 "${ID_OUT}"
-          if [[ -f "${ID_OUT}" ]]; then
-            echo "Written: ${ID_OUT}"
-          else
-            echo "Error: ${ID_OUT} not written."
-          fi
-
-          (
-          cat << EOF >| "${ID_OUT_PUB}"
-          ${CISS_PRIMORDIAL_PUB}
-          EOF
-          ) && chmod 0600 "${ID_OUT_PUB}"
-          if [[ -f "${ID_OUT_PUB}" ]]; then
-            echo "Written: ${ID_OUT_PUB}"
-          else
-            echo "Error: ${ID_OUT_PUB} not written."
-          fi
-
-          perl -0777 -pe '
-            BEGIN{
-              $ed=$ENV{ED25519_PRIV}; $edpub=$ENV{ED25519_PUB};
-              $rsa=$ENV{RSA_PRIV};    $rsapub=$ENV{RSA_PUB};
-            }
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY\s*\}\}/$ed/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_ED25519_KEY_PUB\s*\}\}/$edpub/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY\s*\}\}/$rsa/g;
-            s/\{\{\s*secrets\.CISS_DLB_SSH_HOST_RSA_KEY_PUB\s*\}\}/$rsapub/g;
-          ' "${TPL}" > "${OUT}"
-
-          chmod 0755 "${OUT}"
-          echo "Hook rendered: ${OUT}"
-
-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
-        shell: bash
-        working-directory: ${{ github.workspace }}
-        run: |
-          set -euo pipefail
-          chmod 0755 ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.16.3+deb13-amd64 \
+            --build-directory /opt/cdlb \
            --cdi \
            --control "${timestamp}" \
            --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
-            --root-password-file /opt/config/password.txt \
+            --key_age=keys.txt \
+            --key_luks=luks.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
+            --signing_key_pass=signing_key_pass.txt \
+            --signing_key=signing_key.asc \
            --ssh-port ${{ secrets.CISS_DLB_SSH_PORT_1 }} \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --sshfp \
            --trixie

-          REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd -P)"
-          OUT="$REPO_ROOT/config/hooks/live/9935_hardening_ssh.chroot"
-          rm -f "$OUT"
-          echo "Hook removed: $OUT"
-
      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
@@ -251,83 +233,106 @@ jobs:
          SHARE_SUBDIR=""

          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml

          echo "📥 Filter .iso files from the PROPFIND response ..."
+
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true

          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
            echo "💡 Old ISO files found and deleted :"
+
            while IFS= read -r href; do
+
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-                  -X DELETE "${FILE_URL}"; then
+
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
+
              else
+
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
              fi
+
            done < public_iso_list.txt
+
          else
+
            echo "💡 No old ISO files found to delete."
+
          fi

-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_1 }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_1 }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
+
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
          fi

          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
            echo "✅ New ISO successfully uploaded."
+
          else
+
            echo "❌ Uploading the new ISO failed."
            exit 1
+
          fi

      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
-        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
+
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
          fi

          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
+
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"

          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO_TRIXIE_1.private"
          touch "${PRIVATE_FILE}"
+
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -353,7 +358,6 @@ jobs:
          EOF

      - name: 🚧 Stash local changes (including untracked).
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -362,12 +366,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."

      - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"

          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -379,8 +381,7 @@ jobs:
          git status
          git log --oneline -n 5

-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -389,7 +390,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."

      - name: 📦 Stage generated files.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -398,16 +398,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"

          if git diff --cached --quiet; then
+
            echo "✔️ No staged changes to commit."
+
          else
+
            echo "📝 Committing changes with GPG signature ..."

            ### CI Metadata
@@ -415,7 +416,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PRIVATE_trixie_1.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

            COMMIT_MSG="DEPLOY BOT   : 🔐 Auto-Generate PRIVATE LIVE ISO TRIXIE 1 [skip ci]
@@ -431,10 +432,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
+
          fi

      - name: 🔁 Push back to repository.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-08-22; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,14 +9,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.408.2025.11.13

 name: 💙 Generating a PUBLIC Live ISO.

-defaults:
-  run:
-    shell: bash
-
 permissions:
  contents: write

@@ -35,135 +31,172 @@ jobs:
    container:
      image: debian:trixie

-    steps:
-      - name: 🛠️ Basic Image Setup.
+    defaults:
+      run:
        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
+          set -euo pipefail
+          var_wait=$(( RANDOM % 33 ))
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          sleep "${var_wait}"
+
+      - name: 🔧 Basic Image Setup.
+        run: |
+          set -euo pipefail
+          umask 0022
+
+          echo "APT_LISTCHANGES_FRONTEND=none"  >> "${GITHUB_ENV}"
+          echo "DEBIAN_FRONTEND=noninteractive" >> "${GITHUB_ENV}"
+          echo "LC_ALL=C.UTF-8"                 >> "${GITHUB_ENV}"
+          echo "TZ=UTC"                         >> "${GITHUB_ENV}"
+          echo "VAR_CDLB_INSIDE_RUNNER=true"    >> "${GITHUB_ENV}"
+
+          export APT_LISTCHANGES_FRONTEND=none
          export DEBIAN_FRONTEND=noninteractive
-          apt-get update
+
+          apt-get update -qq
          apt-get upgrade -y
          apt-get install -y --no-install-recommends \
            apt-utils \
            bash \
+            bat \
            ca-certificates \
            curl \
+            debootstrap \
            git \
+            gnupg-utils \
            gnupg \
+            gpg-agent \
+            gpgv \
+            live-build \
+            lsb-release \
            openssh-client \
            openssl \
            perl \
+            pinentry-curses \
+            pinentry-tty \
            sudo \
-            util-linux
+            util-linux \
+            whois

      - name: ⚙️ Check GnuPG Version.
-        shell: bash
        run: |
          gpg --version

      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-        shell: bash
        run: |
+          set +x
          set -euo pipefail
-          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
-          sleep "${var_wait}"
+          umask 0077

          rm -rf ~/.ssh && mkdir -m700 ~/.ssh

          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519

          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts

          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
            HostName git.coresecret.dev
-            Port 42842
            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
            StrictHostKeyChecking yes
+            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config

      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
+          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."

-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
+      - name: ⚙️ Init GNUPGHOME.
        run: |
-          git reset --hard
-          git clean -fd
+          set +x
+          set -euo pipefail
+          umask 0077
+          GNUPGHOME="${PWD}/gnupg.${GITHUB_RUN_ID}.${GITHUB_JOB}"
+          # shellcheck disable=SC2174
+          mkdir -p -m 0700 "${GNUPGHOME}"
+          echo "GNUPGHOME=${GNUPGHOME}"                 >> "${GITHUB_ENV}"
+          echo 'allow-loopback-pinentry'                >| "${GNUPGHOME}/gpg-agent.conf"
+          echo 'pinentry-program /usr/bin/pinentry-tty' >> "${GNUPGHOME}/gpg-agent.conf"
+          gpgconf --reload gpg-agent || true

      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
+        env:
+          PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV: ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}
        run: |
+          set +x
          set -euo pipefail
-          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
-          echo "${{ secrets.PGP_PUBKEY_CENTURION_ROOT_2025_X448 }}" >| centurion-root.PUB.asc
-          gpg --batch --import centurion-root.PUB.asc
-          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
-          gpg --batch --import ci-bot.sec.asc
-          ### Trust the key automatically
-          KEY_ID=$(gpg --list-keys --with-colons | awk -F: '/^pub:/ {print $5}')
-          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"
+          umask 0077
+          printf '%s' "${PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV}" | gpg --batch --import
+          unset PRIVATE_PGP_MSW_DEPLOY_CORESECRET_DEV

      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
        run: |
+          set +x
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
+          git config user.signingkey ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }}
          git config commit.gpgsign true
          git config gpg.program gpg
          git config gpg.format openpgp
+          git config --get user.signingkey

      - name: ⚙️ Preparing the build environment.
-        shell: bash
        run: |
+          set +x
          set -euo pipefail
-          mkdir -p /opt/config
-          mkdir -p /opt/livebuild
-          touch /opt/config/password.txt && chmod 0600 /opt/config/password.txt
-          touch /opt/config/authorized_keys && chmod 0600 /opt/config/authorized_keys
-          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /opt/config/password.txt
-          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /opt/config/authorized_keys
+          umask 0077
+          mkdir -p /dev/shm/cdlb_secrets
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/password.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/authorized_keys
+          echo 'Mvnz#zENbf2vsAYEAbfPcnbDcmct7XefPXfRJxSQQH' >| /dev/shm/cdlb_secrets/password.txt
+          echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAYZDAqVZUk3LwJsqeVHKvLn8UKkFx642VBbiSS8uSY 2025_ciss.debian.live.ISO_PUBLIC_ONLY' >| /dev/shm/cdlb_secrets/authorized_keys

-      - name: 🛠️ Starting CISS.debian.live.builder. This may take a while ...
-        shell: bash
+
+      - name: 🔧 Starting CISS.debian.live.builder. This may take about an hour ...
        run: |
          set -euo pipefail
-          sed -i '/^hardening_ssh.*/d' ciss_live_builder.sh
-          chmod 0755 ciss_live_builder.sh
+          chmod 0700 ciss_live_builder.sh
          timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
          ./ciss_live_builder.sh \
-            --autobuild=6.16.3+deb13-amd64 \
            --architecture amd64 \
-            --build-directory /opt/livebuild \
+            --autobuild=6.16.3+deb13-amd64 \
+            --build-directory /opt/cdlb \
            --cdi \
            --control "${timestamp}" \
            --debug \
-            --root-password-file /opt/config/password.txt \
+            --root-password-file /dev/shm/cdlb_secrets/password.txt \
            --ssh-port 42137 \
-            --ssh-pubkey /opt/config \
+            --ssh-pubkey /dev/shm/cdlb_secrets \
            --trixie

      - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
@@ -173,83 +206,106 @@ jobs:
          SHARE_SUBDIR=""

          echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
          -o propfind_public.xml

          echo "📥 Filter .iso files from the PROPFIND response ..."
+
          grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true

          if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
            echo "💡 Old ISO files found and deleted :"
+
            while IFS= read -r href; do
+
              FILE_URL="${NC_BASE}${href}"
              echo "  Delete: ${FILE_URL}"
-              if curl -s \
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-                  -X DELETE "${FILE_URL}"; then
+
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
+
                echo "    ✅ Successfully deleted: $(basename "${href}")"
+
              else
+
                echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
              fi
+
            done < public_iso_list.txt
+
          else
+
            echo "💡 No old ISO files found to delete."
+
          fi

-      - name: 🛠️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
+      - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
        env:
          NC_BASE: "https://cloud.e2ee.li"
          SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER_PUBLIC }}"
          SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD_PUBLIC }}"
        run: |
          set -euo pipefail
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
+
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
          fi

          AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
+
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
          --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
            echo "✅ New ISO successfully uploaded."
+
          else
+
            echo "❌ Uploading the new ISO failed."
            exit 1
+
          fi

      - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.
-        shell: bash
        run: |
-          if [[ $(ls /opt/livebuild/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+          if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
            echo "❌ There must be exactly one .iso file in the directory!"
            exit 1
+
          else
-            VAR_ISO_FILE_PATH=$(ls /opt/livebuild/*.iso)
+
+            VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
            VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
            echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
          fi

          VAR_ISO_FILE_SHA512="${VAR_ISO_FILE_NAME}.sha512"
          touch "${VAR_ISO_FILE_SHA512}"
+
          sha512sum "${VAR_ISO_FILE_PATH}" | awk '{print $1}' >| "${VAR_ISO_FILE_SHA512}"
+
          SIGNATURE_FILE="${VAR_ISO_FILE_SHA512}.sign"
          touch "${SIGNATURE_FILE}"
-          export GNUPGHOME="$(pwd)/.gnupg"
-          gpg --batch --yes --armor --detach-sign --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"
+
+          gpg --batch --yes --armor --detach-sign --local-user ${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV_FPR }} --output "${SIGNATURE_FILE}" "${VAR_ISO_FILE_SHA512}"

          timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
          VAR_DATE="$(date +%F)"
          PRIVATE_FILE="LIVE_ISO.public"
          touch "${PRIVATE_FILE}"
+
          cat << EOF >| "${PRIVATE_FILE}"
          # SPDX-Version: 3.0
          # SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -275,7 +331,6 @@ jobs:
          EOF

      - name: 🚧 Stash local changes (including untracked).
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -284,12 +339,10 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."

      - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"

          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -301,8 +354,7 @@ jobs:
          git status
          git log --oneline -n 5

-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -311,7 +363,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."

      - name: 📦 Stage generated files.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -320,16 +371,17 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"

          if git diff --cached --quiet; then
+
            echo "✔️ No staged changes to commit."
+
          else
+
            echo "📝 Committing changes with GPG signature ..."

            ### CI Metadata
@@ -337,7 +389,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-generate_PUBLIC_iso.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

            COMMIT_MSG="DEPLOY BOT   : 💙 Auto-Generate PUBLIC LIVE ISO [skip ci]
@@ -353,10 +405,10 @@ jobs:
            echo "🔏 Commit message :"
            echo "${COMMIT_MSG}"
            git commit -S -m "${COMMIT_MSG}"
+
          fi

      - name: 🔁 Push back to repository.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/linter_char_scripts.yaml
+++ b/.gitea/workflows/linter_char_scripts.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.408.2025.11.13

 # Gitea Workflow: Shell-Script Linting
 #
@@ -36,61 +36,67 @@ jobs:
    name: 🛡️ Shell Script Linting
    runs-on: ubuntu-latest

-    steps:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+    defaults:
+      run:
        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"

-          rm -rf ~/.ssh && mkdir -m700 ~/.ssh
+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
+          rm -rf ~/.ssh && mkdir -m0700 ~/.ssh

          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519

          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts

          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
            HostName git.coresecret.dev
-            Port 42842
            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
            StrictHostKeyChecking yes
+            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config

      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
-        run: |
-          set -euo pipefail
-          git reset --hard
-          git clean -fd

      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -98,10 +104,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"

      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -109,22 +114,19 @@ jobs:
          git config gpg.format openpgp

      - name: ⚙️ Convert APT sources to HTTPS.
-        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true

-      - name: 🛠️ Install dependencies.
-        shell: bash
+      - name: 🔧 Install dependencies.
        run: |
          ### Install grep with Perl-regex support, falls noch nicht vorhanden
-          apt-get update
+          apt-get update  -qq
          apt-get upgrade -y
          apt-get install -y grep

      - name: 🔍 Lint shell scripts
-        shell: bash
        run: |
          # -------------------------------
          # STEP 1: Find target files.
@@ -254,7 +256,6 @@ jobs:
          fi

      - name: 🚧 Stash local changes (including untracked).
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -263,12 +264,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."

      - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"

          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -280,8 +280,7 @@ jobs:
          git status
          git log --oneline -n 5

-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -290,7 +289,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."

      - name: 📦 Stage generated files.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -299,12 +297,11 @@ jobs:
          git add "${PRIVATE_FILE}" || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"

          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
@@ -316,7 +313,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

            COMMIT_MSG="DEPLOY BOT   : 🛡️ Shell Script Linting [skip ci]
@@ -335,7 +332,6 @@ jobs:
          fi

      - name: 🔁 Push back to repository.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitea/workflows/render-dnssec-status.yaml
+++ b/.gitea/workflows/render-dnssec-status.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.408.2025.11.13

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -28,61 +28,67 @@ jobs:
    name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
    runs-on: ubuntu-latest

-    steps:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+    defaults:
+      run:
        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"

+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh

          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519

          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts

          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
            HostName git.coresecret.dev
-            Port 42842
            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
            StrictHostKeyChecking yes
+            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config

      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
-        run: |
-          set -euo pipefail
-          git reset --hard
-          git clean -fd

      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -90,10 +96,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"

      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -101,38 +106,32 @@ jobs:
          git config gpg.format openpgp

      - name: ⚙️ Convert APT sources to HTTPS.
-        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true

-      - name: 🛠️ Install DNSViz.
-        shell: bash
+      - name: 🔧 Install DNSViz.
        run: |
          sudo apt-get update
          sudo apt-get install -y dnsviz

      - name: ⚙️ Ensure docs/SECURITY/ directory exists.
-        shell: bash
        run: |
          mkdir -p docs/SECURITY/
          rm -f docs/SECURITY/coresecret.dev.png

-      - name: 🛠️ Prepare DNS Cache.
-        shell: bash
+      - name: 🔧 Prepare DNS Cache.
        run: |
          sudo apt-get install -y dnsutils
          dig +dnssec +multi coresecret.dev @8.8.8.8

-      - name: 🛠️ Retrieve Zone Dump and generate .png Visualization.
-        shell: bash
+      - name: 🔧 Retrieve Zone Dump and generate .png Visualization.
        run: |
          dnsviz probe -s 8.8.8.8 -R SOA,A,AAAA,CAA,CDS,CDNSKEY,LOC,HTTPS,MX,NS,TXT coresecret.dev >| coresecret.dev.json
          dnsviz graph -T png < coresecret.dev.json >| docs/SECURITY/coresecret.dev.png

      - name: 🚧 Stash local changes (including untracked).
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -141,12 +140,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."

      - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"

          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -158,8 +156,7 @@ jobs:
          git status
          git log --oneline -n 5

-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -168,7 +165,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."

      - name: 📦 Stage generated files.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -176,12 +172,11 @@ jobs:
          git add docs/SECURITY/*.png || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"

          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
@@ -193,7 +188,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

            COMMIT_MSG="DEPLOY BOT   : 🛡️ Auto-Generate DNSSEC Status [skip ci]
--- a/.gitea/workflows/render-dot-to-png.yaml
+++ b/.gitea/workflows/render-dot-to-png.yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V8.13.142.2025.10.14
+# Version Master V8.13.408.2025.11.13

 name: 🔁 Render Graphviz Diagrams.

@@ -29,61 +29,67 @@ jobs:
    name: 🔁 Render Graphviz Diagrams.
    runs-on: ubuntu-latest

-    steps:
-      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+    defaults:
+      run:
        shell: bash
+        working-directory: ${{ github.workspace }}
+
+    steps:
+      - name: 🕑 Waiting random time to desynchronize parallel workflows.
        run: |
          set -euo pipefail
          var_wait=$(( RANDOM % 33 ))
-          printf "⏳ Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
+          printf "🕑 Waiting %s seconds to desynchronize parallel workflows...\n" "${var_wait}"
          sleep "${var_wait}"

+      - name: ⚙️ Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
+        run: |
+          set +x
+          set -euo pipefail
          rm -rf ~/.ssh && mkdir -m700 ~/.ssh

          ### Private Key
          echo "${{ secrets.SSH_MSW_DEPLOY_CORESECRET_DEV }}" >| ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519

          ### Scan git.coresecret.dev to fill ~/.ssh/known_hosts
          ssh-keyscan -p 42842 git.coresecret.dev >| ~/.ssh/known_hosts
-          chmod 600 ~/.ssh/known_hosts
+          chmod 0600 ~/.ssh/known_hosts

          ### Generate SSH Config for git.coresecret.dev Custom-Port
          cat <<EOF >| ~/.ssh/config
          Host git.coresecret.dev
+            BatchMode yes
+            ConnectTimeout 5
+            ControlMaster auto
+            ControlPath ~/.ssh/cm-%r@%h:%p
+            ControlPersist 5m
            HostName git.coresecret.dev
-            Port 42842
            IdentityFile ~/.ssh/id_ed25519
+            Port 42842
+            ServerAliveCountMax 3
+            ServerAliveInterval 10
            StrictHostKeyChecking yes
+            User git
            UserKnownHostsFile ~/.ssh/known_hosts
          EOF
-          chmod 600 ~/.ssh/config
+          chmod 0600 ~/.ssh/config

      ### https://github.com/actions/checkout/issues/1843
-      - name: 🛠️ Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
-        shell: bash
+      - name: 🔧 Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
        env:
          ### GITHUB_REF_NAME contains the branch name from the push event.
          GITHUB_REF_NAME: ${{ github.ref_name }}
        run: |
          set -euo pipefail
          git clone --branch "${GITHUB_REF_NAME}" ssh://git@git.coresecret.dev:42842/msw/CISS.debian.live.builder.git .
-          git fetch --unshallow || echo "Nothing to fetch - already full clone."
-
-      - name: 🛠️ Cleaning the workspace.
-        shell: bash
-        run: |
-          set -euo pipefail
-          git reset --hard
-          git clean -fd

      - name: ⚙️ Importing the 'CI PGP DEPLOY ONLY' key.
-        shell: bash
        run: |
          set -euo pipefail
          ### GPG-Home relative to the Runner Workspace to avoid changing global files.
-          export GNUPGHOME="$(pwd)/.gnupg"
-          mkdir -m 700 "${GNUPGHOME}"
+          export GNUPGHOME="$(PWD)/.gnupg"
+          mkdir -m 0700 "${GNUPGHOME}"
          echo "${{ secrets.PGP_MSW_DEPLOY_CORESECRET_DEV }}" >| ci-bot.sec.asc
          gpg --batch --import ci-bot.sec.asc
          ### Trust the key automatically
@@ -91,10 +97,9 @@ jobs:
          echo "trust-model always" >| "${GNUPGHOME}/gpg.conf"

      - name: ⚙️ Configuring Git for signed CI/DEPLOY commits.
-        shell: bash
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"
          git config user.name "Marc S. Weidner BOT"
          git config user.email "msw+bot@coresecret.dev"
          git config commit.gpgsign true
@@ -102,21 +107,18 @@ jobs:
          git config gpg.format openpgp

      - name: ⚙️ Convert APT sources to HTTPS.
-        shell: bash
        run: |
          set -euo pipefail
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list
          sed -i 's|http://\(archive\.ubuntu\.com\|security\.ubuntu\.com\)|https://\1|g' /etc/apt/sources.list.d/*.list || true

-      - name: 🛠️ Install Graphviz.
-        shell: bash
+      - name: 🔧 Install Graphviz.
        run: |
          set -euo pipefail
          sudo apt-get update
          sudo apt-get install -y graphviz

-      - name: 🛠️ Render all .dot / .gv to PNG.
-        shell: bash
+      - name: 🔧 Render all .dot / .gv to PNG.
        run: |
          set -euo pipefail
          find . -type f \( -name "*.dot" -o -name "*.gv" \) | while read file; do
@@ -125,7 +127,6 @@ jobs:
          done

      - name: 🚧 Stash local changes (including untracked).
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -134,12 +135,11 @@ jobs:
          git stash push --include-untracked -m "ci-temp" || echo "✔️ Nothing to stash."

      - name: 🔄 Sync with remote before commit using merge strategy.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"

          echo "🔄 Fetching origin/master ..."
          git fetch origin master
@@ -151,8 +151,7 @@ jobs:
          git status
          git log --oneline -n 5

-      - name: 🛠️ Restore stashed changes.
-        shell: bash
+      - name: 🔧 Restore stashed changes.
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -161,7 +160,6 @@ jobs:
          git stash pop || echo "✔️ Nothing to pop."

      - name: 📦 Stage generated files.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
@@ -169,12 +167,11 @@ jobs:
          git add *.png || echo "✔️ Nothing to add."

      - name: 🔑 Commit and sign changes with CI metadata.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
          set -euo pipefail
-          export GNUPGHOME="$(pwd)/.gnupg"
+          export GNUPGHOME="$(PWD)/.gnupg"

          if git diff --cached --quiet; then
            echo "✔️ No staged changes to commit."
@@ -186,7 +183,7 @@ jobs:
            HOSTNAME="$(hostname -f || hostname)"
            GIT_SHA="$(git rev-parse --short HEAD)"
            GIT_REF="$(git symbolic-ref --short HEAD || echo detached)"
-            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-md-to-html.yaml}"
+            WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
            CI_HEADER="X-CI-Metadata: ${GIT_REF}@${GIT_SHA} at ${TIMESTAMP_UTC} on ${HOSTNAME}"

            COMMIT_MSG="DEPLOY BOT   : 🔁 Auto-Generate PNG from *.dot. [skip ci]
@@ -205,7 +202,6 @@ jobs:
          fi

      - name: 🔁 Push back to repository.
-        shell: bash
        env:
          GIT_SSH_COMMAND: "ssh -p 42842"
        run: |
--- a/.gitignore
+++ b/.gitignore
@@ -10,7 +10,6 @@
 # SPDX-Security-Contact: security@coresecret.eu
 .checklist/
 .idea/
-build/
 out/
 target/
 *.DS_Store
--- a/.pubkey/dropbear-key-2015.asc
+++ b/.pubkey/dropbear-key-2015.asc
@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFWRP60BEACmOtUkYtbGNcmXdSKJ7caplzIbjuRWgSDR860hEosRDQqwORCL
+50xAEnPxgEiryONJUgOF0NRkBGJS9BsvfO3hH0LL4YSRTi0Wv7hJHTtqyzwa9qAH
+clyzNoq25dgy3D8OS6Bx1SgKFm8UTxTiCRTD0l1pRJx9efVEcAGkLgiconmyFZpJ
+oJ5XX8786bKucx791aA/26atNIzzsSo/295YAMi3QjIL5Mh5qtprSJkFRKcMx/Ay
+KaVzFlM8A/Kqea1cFiqwCJ9UNUdfvBa6K9HvTr6mPhznvH/ORt4m0sDigEoJAqLp
+KWNmjw7yITAK72nBDi/qQEhudUk22m9cVNV/mdNFoRkl9gDkgFvlcM6JksqOxkGp
+SAOJGdOU4V82e8FDSEK9C/pY+leeWeG5h/CLtw1v+Sdhk0PPRr17VKKOLCw2FGx1
+fcRYNdsuoMN4K8fgLoCzzKbyMC+y6sENEgEHSSPQDQ75XzM2Bo1UpfcHWpjqEllu
+8slhPWagckf07n0eOAARPIARlae+Wo8cYBScoZ30P5iOmYRWsxQ0HGwcLieyhuiS
+rb/NBex/tnR5ykvJNLW59P1Q5y7dpp/fLO6DpufAf+uoIfLOChnw3S5fvSL8ftxd
+GyWS79cMUkhcnFID2qfnaykxNsunuD9pEgfo9XhDk0iKZoCEKehRTau1rQARAQAB
+tC5Ecm9wYmVhciBTU0ggUmVsZWFzZSBTaWduaW5nIDxtYXR0QHVjYy5hc24uYXU+
+iQI3BBMBCgAhBQJVkT+tAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEEST
+FJTynGdzHgQP/1bVxV0KqXxEJpRSiu3aOEDu2WHIJahizZ94AClgPB0r14pEgT4T
+eCOdxinubENH+u1/ShlBVykTGyukmonhd10v8NGWAUldhkPi3jaHcxHSfENWXmu/
+KBpcHQ0j2/PlO+RxpNkGUWTjTu9WKFiFeIX60QLCMDJpOvPe49yb650xMpjTROM
+5yOGdTkmAw4SZCkHmd7zgmzSHxXnNzXLvT9bYsJXVZwXB7Jqw4bwOHGpqB3kXsQ2
+LR2pMitM8YV3Gmjtvy+mpBqvdQ5fsxISFTC5wAUT9f6jsHfFLUv6OuNLrhZghioT
+fjPj58nfD1/4j7ka9mSyZV0PEhW5f5GYvt3WEeJJyZyhkjAkzjtZTi5sTs+QtRm0
+APCspF/y1afErS5adjTjuzSkyVx9VMBowqiYo6AGu7byajNf0rFPtTgDBC3j4Mae
+vL5k1KvXuX1Hr1zZiM1OVMt4EOmY7mERmHXwVv1bOK/uUwQkCXKCFpP/v7a5VHL
+qpwCF65mBTW/G1ZKglUQT0JeyVJqqQHVKbNzgMSpDM7ra80/KFOg6zb9iNbjxRrH
+NfXeAGbmSWwbpFBNT3kbJWUqjqLkoD2R7rNN5SnzdPEGk/aCGuYZlLFE8k5/mJ3V
+K3X1t11fgu9lqYFpv7CenwXrbVCgxDkoic84+HezqXyQnoAp9n8xJI6diQIcBBAB
+CgAGBQJVkT+/AAoJEPSYMBLCC7qsbiQP/1qKpOo73GPvISknRpPYVWX0z7yMRUAB
+7gA9SYF7n0jOHwDAFKjYQdpIxff3xPbLaB9bRQFq6m67o1Ly5bwxXGPclsJQP/r3
+GQ8it7Dzs4JSi1Yk4Fg+Po4tHWSpW53uRKtryiaYEoQ9LYQd8fS3JDWFtkXYUVAM
+xKmKINr4UKExlYBpQS2AWve4Ou3xM9dxiDX4pH3azD8Qb24rC5vbkG8Sq+2+/QIV
+i/JxbSQHaJ+kaukHRufHWqgg4xOBE8gfS82RHqNxES1CeWcejNxhsXQP9cfUxsvZ
+2Lchm3leOZ/2ztVQ4O8aJOKN+ng8pqOjKuJDamQmN0L/1N3lfN+gg5Ccluyoj89f
+gxDuINJDeY7aulFcGfIIsa0AuDWyAly1Lcwz/Sle2WOA7xcg8FcdhqV9158a+BzB
+cSMvHRs0W0Xwsso3GyUfDomqWuOfERvQXRgwKR0SFYDeHAlB3dhKHt/KjDn0nqEo
+CFtg4ZjA0hh1KMgu5ceticwuEQOkPX5H3ZpqH99LBekHjgdp5m87FG2bWVVkYGIm
+BBoFNnCBVMXonmyZlFstZNDcvb4cYYY+gN6yDFqX1HkqV1RDSHMO7KEmVwPOg/LK
+lKpH//tEulZUqN0h8ldoNKEMRa1OOGl8nNygJFldoPzoY/3ZAbIJy8KwZeWUjkzv
+WieMGaws051uiEYEEBEKAAYFAlWRRVgACgkQjPn4sExkf7wC9wCgh2nBBbfhkvE4
+Xj3d7uSYCr1oLEEAnjJ+RpVfu3Gpye5Q+0X8EFiMLlXZ
+=kT6a
+-----END PGP PUBLIC KEY BLOCK-----
--- a/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg
+++ b/.pubkey/marc_s_weidner_msw+bot@coreseret.dev_0x8733B021_public.gpg
--- a/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc
+++ b/.pubkey/marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc
@@ -0,0 +1,21 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mEkFaQzeVBYAAAA/AytlcQHGPz+Tku/rFh5KSbHE465pYWjWOWSl26vKCk5HNMX6
+y2MGyUUbm5tVYHymp3EYbRBS8dJ+qKCKrzyAtDJNYXJjIFMuIFdlaWRuZXIgREVQ
+TE9ZIDxtc3crZGVwbG95QGNvcmVzZWNyZXQuZGV2PojNBRMWCABNIiEFmAiaRyzP
+RgHNUdfHCV02U1KW6hS43pIZhyPE3GBuj3YFAmkM3lQCGwMFCQfPlNwFCwkIBwIC
+IgIGFQoJCAsCBBYCAwECHgcCF4AAAA+GAcduwdOub1yMWc0o5e1qdkI/8Pv9jqYF
+P46Ko2UU24Q3AaYC5oBFyD4sKf4ojosYovs4fzrZCXqbH4ABxi0kmYEUZT11L+Ex
+AfiwNvJBCzlcvLzdK7A+ZBDgdaV5pybSN4/ZnUKkUSzZV/6odcVM2LtqkbAHAIjU
+BRAWCABUIiEFb9PDFk6t5GIBJKfozM13iXXLB7VAp8veRtbuNEidacIFAmkM3vEF
+gwfP84AkFIAAAAAADQAOcmVtQGdudXBnLm9yZ0NlbnR1cmlvbixDSUNBAACKBAHI
+5t3aZSnSERrnAZ3rwxItsTB9KeTVdtRnpxyZ7leBf4987ECcfwDDozkDGFo2cJwg
+eKPRloMif1eAAcjOdUXeunlNBTlPlyOBk0ukWT5SgVeZUl5bsNRgJWu7MoNiT9vQ
+M7gJjlyYcVoMZ47G7TA9Z+goJwC4TAVpDN5UEgAAAEIDK2VvAcCPfkOJzBvvplco
+PXb8jg4AsJXU10wHSucHMdR2R26+IJTCAYU6d3O47wTBr6QFc5HRgDZcf6FngQMB
+CgmIsgUYFggAMiIhBZgImkcsz0YBzVHXxwldNlNSluoUuN6SGYcjxNxgbo92BQJp
+DN5UAhsMBQkHz5TcAABuDQHI5Zp2rsRwc0WR0WaaQOIFh7KdL7x3dHljJ5u2m6Zc
+pzmlnZGuCTe0BmVzECJhq7Yqi+ajENbWOc+AAcUbToifr1VvbgZgUDtA+f2IlHRM
+ovaAOH5ED+DHy6OjEmBG43ZIPQbsbD4td5VIZoi+f6npZrhXNQA=
+=Q67G
+-----END PGP PUBLIC KEY BLOCK-----
--- a/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg
+++ b/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.gpg
--- a/.shellcheckrc
+++ b/.shellcheckrc
@@ -1,14 +1,17 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
+# SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+# https://github.com/koalaman/shellcheck/wiki/directive
+# https://github.com/koalaman/shellcheck/wiki/Optional
+
 encoding=utf-8
 external-sources=true
 shell=bash
@@ -16,6 +19,8 @@ source-path=~/lib
 source-path=~/scripts
 source-path=~/var

+enable=add-default-case
+enable=avoid-negated-conditions
 enable=avoid-nullary-conditions
 enable=check-extra-masked-returns
 enable=check-set-e-suppressed
@@ -24,5 +29,6 @@ enable=deprecate-which
 enable=quote-safe-variables
 enable=require-double-brackets
 enable=require-variable-braces
+enable=useless-use-of-cat

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/.version.properties
+++ b/.version.properties
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.142.2025.10.14"
+properties_version="V8.13.408.2025.11.13"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/CISS.debian.live.builder.spdx
+++ b/CISS.debian.live.builder.spdx
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.142.2025.10.14
+PackageVersion: Master V8.13.408.2025.11.13
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
--- a/LINTER_RESULTS.txt
+++ b/LINTER_RESULTS.txt
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-13; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,8 +9,8 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T19:37:03Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-11-13T09:05:08Z"

-⚠️ The last linter check was NOT successful. ⚠️
+✅ The last linter check was successful. ✅

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO.public
+++ b/LIVE_ISO.public
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T22:23:27Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-29T11:15:54Z"

 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T21_30_07Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_29T10_21_17Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  442037d11eb48f4adbd1a3da17cf36062ec6be816627c38fe814458840020f212c551b96d5e785c4372fa09fc11fd9529f34166530b1e1f5ce9335abadb5f771
+  c4694bb55c7571df893dace7469ca4f90693eb61922508e6e5795cb442c01f2e487d055f23c27f3d1226bdd30aa4f5522af07addfc16b6f7d3224394590bd591
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7NXwAKCRA85KY4hzOw
-IT3LAP4uP8glLMDEpUntKJQTiPqSYjGUyIFoKmsgALGPJcnnoQD/fcz4Mq12mF32
-jf4ETKQBqlxuQyLTPvPFhLsrBbDD0AI=
-=/UNR
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQH3agAKCRA85KY4hzOw
+IbCaAP9Dqt8oESXBWNUgzCBDmBc/uZgDKJ/Ve/oIXsUGIfIqnwD/fovruI1dvGen
+4p02K+Dc5sf9sdU0IjMDrWVZAj8uBA0=
+=ieyd
 -----END PGP SIGNATURE-----

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_0.private
+++ b/LIVE_ISO_TRIXIE_0.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-08; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T20:32:28Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-11-08T19:46:24Z"

 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T19_36_59Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_11_08T18_57_19Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  57559f9b9c5e50dad6a5b2023d992c26b8f4d25dd0d45ffa5cfd479ee623287e2c2eead70016267b848c5910db5ba5c4e2dfeeb12cca6f59fe455dad886c51d9
+  11065e6ed8f99b533352ad86bd5b4cc9b407652e79a34718da6aad46a5f603738553fde6fbcceaa3128bfbbfa4c1674c05552232d4620ea250bc029545600718
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO6zXAAKCRA85KY4hzOw
-Idq2AQDRmgHRGnX1bn+cNV5JirecSke0IAwlAjEXOl4tFoQlewEA0s2R1A3OQjIq
-fAhdl2wltVNT5+jUg6EUj3FE3kVPaQo=
-=fmxg
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQ+eEAAKCRA85KY4hzOw
+IcJaAP9FYAzawGRXQqt5mEL3SQy4cSDkc5/r/KDhy+ABdVNMvAEA1ReKZ7qXrESP
+rgP2MsHaXHVBWGJUvFyMf6dUpbjEnA8=
+=SkUY
 -----END PGP SIGNATURE-----

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/LIVE_ISO_TRIXIE_1.private
+++ b/LIVE_ISO_TRIXIE_1.private
@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-14; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-This file was automatically generated by the DEPLOY BOT on: "2025-10-14T21:28:34Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-10-29T21:52:45Z"

 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_14T20_33_51Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_10_29T20_59_34Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  4a47a1ed0986b67774047b2bfc6fdd53753fa8f301f8376b23ccde1f5187aeffbca7fce3194a3d7b61278630291a1d2d954a289da712c064326eb6b7020c228c
+  c2b295aa3bd7ccfbe6c83aa27aeeace796251ad93ebfbf999bc6b1ae7c3c881efeeeda5e9235c5f5b7ad022ee465bc61e04c46906c6a7ca79214866ae62e160d
 CISS.debian.live.builder ISO sha512 sign :
  -----BEGIN PGP SIGNATURE-----

-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaO7AggAKCRA85KY4hzOw
-IWpdAP4xCxUP4V0lOBE1u7+wEOoEmXiRC10Va4Hf2UXjH1BSVwEAsz/cMaGt+rJT
-q0i+5EftPavvIst48aXQsp7QKjyNewM=
-=x3/T
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQKMrQAKCRA85KY4hzOw
+ISgMAQDy82Yr4/F3cI/ZzLQJyoFSY2qgPl8d84eJZFhhTFpD3AEAmMBws55fQAzz
+Q9DBRAvRYgMDLmqsog+m3FEH7cXtDAg=
+=o+0d
 -----END PGP SIGNATURE-----

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.142.2025.10.14-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.408.2025.11.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,8 +11,9 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.24.6-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
@@ -26,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.408.2025.11.13<br>

 This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
 and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -151,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V8.13.142.2025.10.14`
+Example: `V8.13.408.2025.11.13`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -290,7 +291,7 @@ apply or revert these controls.
 * **Description**: The SSH tunnel and access are secured through multiple layers of defense:
  * **Firewall Restriction**: ufw allows connections only from defined jump host or VPN exit node IPs.
  * **TCP Wrappers**: `/etc/hosts.allow` and `/etc/hosts.deny` enforce an `ALL: ALL` deny policy, permitting only specified hosts.
-  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/centurion-default.conf` immediately bans any host 
+  * **One-Hit Ban**: A custom Fail2Ban rule `/etc/fail2ban/jail.d/ciss-default.conf` immediately bans any host 
    that touches closed ports. 
    * Additionally, the `fail2ban` service is hardened as well according to:
    [Arch Linux Wiki Fail2ban Hardening](https://wiki.archlinux.org/title/fail2ban#Service_hardening) 
@@ -439,9 +440,9 @@ predictable script behavior.
   
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/livebuild`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   5. Make any other changes you need to.

 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
@@ -449,21 +450,29 @@ predictable script behavior.
   ````bash
   chmod 0700 ./ciss_live_builder.sh
   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
-   ./ciss_live_builder.sh --architecture amd64 \
-                          --build-directory /opt/livebuild \
-                          --change-splash hexagon \
-                          --control "${timestamp}" \
-                          --cdi \
-                          --debug \
-                          --dhcp-centurion \
-                          --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
-                          --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
-                          --renice-priority "-19" \
-                          --reionice-priority 1 2 \
-                          --root-password-file /opt/gitea/CISS.debian.live.builder/password.txt \
-                          --ssh-port 4242 \
-                          --ssh-pubkey /opt/gitea/CISS.debian.live.builder \
-                          --trixie
+   ./ciss_live_builder.sh \
+     --architecture amd64 \
+     --autobuild=6.16.3+deb13-amd64 \
+     --build-directory /opt/cdlb \
+     --cdi \
+     --change-splash hexagon \
+     --control "${timestamp}" \
+     --debug \
+     --dhcp-centurion \
+     --jump-host 10.0.0.128 [c0de:4711:0815:4242::1] [2abc:4711:0815:4242::1]/64 \
+     --key_age=keys.txt \
+     --key_luks=luks.txt \
+     --provider-netcup-ipv6 [c0de:4711:0815:4242::ffff] \
+     --reionice-priority 1 2 \
+     --renice-priority "-19" \
+     --root-password-file /dev/shm/cdlb_secrets/password.txt \
+     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
+     --signing_key_pass=signing_key_pass.txt \
+     --signing_key=signing_key.asc \
+     --ssh-port 4242 \
+     --ssh-pubkey /dev/shm/cdlb_secrets \
+     --sshfp \
+     --trixie
   ````

 4. Locate your ISO in the `--build-directory`.
@@ -487,9 +496,9 @@ preview it or run it.

 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/livebuild`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/opt/gitea/CISS.debian.live.builder` directory.
+   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   5. Copy and edit the sample and set your options (no spaces around commas in lists): 

    ````bash
@@ -497,10 +506,10 @@ preview it or run it.
    ````

    ````bash
-    BUILD_DIR=/opt/livebuild
-    ROOT_PASSWORD_FILE=/opt/gitea/CISS.debian.live.builder/password.txt
+    BUILD_DIR=/opt/cdlb
+    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
    SSH_PORT=4242
-    SSH_PUBKEY=/root/.ssh
+    SSH_PUBKEY=/dev/shm/cdlb_secrets

    # Optional
    PROVIDER_NETCUP_IPV6=2001:cdb::1
@@ -533,7 +542,7 @@ preview it or run it.

            ### Private Key
            echo "${{ secrets.CHANGE_ME }}" >| ~/.ssh/id_ed25519
-            chmod 600 ~/.ssh/id_ed25519
+            chmod 0600 ~/.ssh/id_ed25519
  #...
        ### https://github.com/actions/checkout/issues/1843
        - name: Using manual clone via SSH to circumvent Gitea SHA-256 object issues.
--- a/REPOSITORY.md
+++ b/REPOSITORY.md
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.142.2025.10.14<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2.1. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.142.2025.10.14** (as of 2025-10-11)
+**Repository State:** Master Version **8.13**, Build **V8.13.408.2025.11.13** (as of 2025-10-11)

 ## 2.2. Top-Level Layout

@@ -69,7 +69,7 @@ CISS.debian.live.builder/

 ### 2.3.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_fail2ban_hardening.chroot`).
+- **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
 - **`includes.chroot/`**: Files copied into the live system’s root:
  - `etc/` (APT configuration, `live/`, `modprobe.d/`, network, SSH, `sysctl.d/`, systemd drop-ins, banners),
--- a/ciss_live_builder.sh
+++ b/ciss_live_builder.sh
@@ -21,24 +21,20 @@
 # or Cygwin on Windows systems.

 ### CATCH ARGUMENTS AND DECLARE BASIC VARIABLES.
-# shellcheck disable=SC2155
+# shellcheck disable=SC2155,SC2249
+declare -agx  ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -girx VAR_START_TIME="${SECONDS}"                                # Start time of script execution.
 declare -grx  VAR_PARAM_COUNT="$#"                                       # Arguments passed to script.
 declare -grx  VAR_PARAM_STRNG="$*"                                       # Arguments passed to script as string.
-declare -ag   ARY_PARAM_ARRAY=("$@")                                     # Arguments passed to script as an array.
 declare -grx  VAR_SETUP_FILE="${0##*/}"                                  # 'ciss_debian_live_builder.sh'
-declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/opt/git/CISS.debian.live.builder'
-declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/opt/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
-# shellcheck disable=SC2155
-declare -grx SCRIPT_FULLPATH="$(readlink -f "${BASH_SOURCE[0]:-$0}")"
-# shellcheck disable=SC2155
-declare -grx SCRIPT_BASEPATH="$(dirname "${SCRIPT_FULLPATH}")"
-# shellcheck disable=SC2155
-declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
+declare -grx  VAR_SETUP_FULL="$(cd "$(dirname "${0}")" && pwd)/${0##*/}" # '/root/git/CISS.debian.live.builder/ciss_debian_live_builder.sh'
+declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/root/git/CISS.debian.live.builder'
+declare -grx  VAR_TMP_SECRET="/dev/shm/cdlb_secrets"                     # Fixed tmpfs path to store securely build artifacts.
+declare -grx  VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")"               # '/root/git/CISS.debian.live.builder'

 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
-# shellcheck disable=2292
+# shellcheck disable=SC2292
 [ -z "${BASH_VERSINFO[0]}" ] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2
@@ -60,7 +56,7 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
 }

 ### Check to be not called by sh.
-# shellcheck disable=2312
+# shellcheck disable=SC2312
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
  . ./var/global.var.sh
  printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2
@@ -95,30 +91,40 @@ declare -grx VAR_WORKDIR="$(dirname "${SCRIPT_FULLPATH}")"
  exit 1
 }

-### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING(), CHECK_GIT()
+### SOURCING MUST SET EARLY VARIABLES, GUARD_SOURCING().
 . ./var/early.var.sh
 . ./lib/lib_guard_sourcing.sh
 . ./lib/lib_source_guard.sh
-source_guard "./lib/lib_git_var.sh"

-### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG
-for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh; contact; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh  ; usage  ; exit 0;; esac; done
-for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh; version; exit 0;; esac; done
-
-### ALL CHECKS DONE. READY TO START THE SCRIPT
+### SECURING ENVIRONMENT.
 source_guard "./var/bash.var.sh"
-check_git
-for arg in "$@"; do case "${arg,,}" in -d|--debug) . ./meta_sources_debug.sh; debugger "${@}";; esac; done
-declare -gx VAR_SETUP="true"

-### SOURCING VARIABLES
+### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
+for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
+
+### ALL CHECKS DONE. READY TO START THE SCRIPT.
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+declare -grx VAR_SETUP="true"
+
+### SECURING SECRETS ARTIFACTS.
+test ! -L "${VAR_TMP_SECRET}" || {
+  . ./var/global.var.sh
+  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
+  exit "${ERR_SECRETSSYM}"
+}
+find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
+find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
+
+### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./var/color.var.sh"
  source_guard "./var/global.var.sh"
 }

-### SOURCING LIBRARIES
+### SOURCING LIBRARIES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_arg_parser.sh"
  source_guard "./lib/lib_arg_priority_check.sh"
@@ -130,29 +136,38 @@ declare -gx VAR_SETUP="true"
  source_guard "./lib/lib_check_kernel.sh"
  source_guard "./lib/lib_check_pkgs.sh"
  source_guard "./lib/lib_check_provider.sh"
+  source_guard "./lib/lib_check_secrets.sh"
  source_guard "./lib/lib_check_stats.sh"
  source_guard "./lib/lib_check_var.sh"
+  source_guard "./lib/lib_ciss_signatures.sh"
+  source_guard "./lib/lib_ciss_upgrades_boot.sh"
+  source_guard "./lib/lib_ciss_upgrades_build.sh"
  source_guard "./lib/lib_clean_screen.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_copy_integrity.sh"
+  source_guard "./lib/lib_gnupg.sh"
  source_guard "./lib/lib_hardening_root_pw.sh"
-  source_guard "./lib/lib_hardening_ssh.sh"
+  source_guard "./lib/lib_hardening_ssh_tcp.sh"
  source_guard "./lib/lib_hardening_ultra.sh"
  source_guard "./lib/lib_helper_ip.sh"
  source_guard "./lib/lib_lb_build_start.sh"
  source_guard "./lib/lib_lb_config_start.sh"
-  source_guard "./lib/lib_lb_config_write.sh"
  source_guard "./lib/lib_lb_config_write_trixie.sh"
  source_guard "./lib/lib_note_target.sh"
+  source_guard "./lib/lib_primordial.sh"
  source_guard "./lib/lib_provider_netcup.sh"
  source_guard "./lib/lib_run_analysis.sh"
  source_guard "./lib/lib_sanitizer.sh"
  source_guard "./lib/lib_trap_on_err.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
+  source_guard "./lib/lib_update_microcode.sh"
  source_guard "./lib/lib_usage.sh"
 }

-### ADVISORY LOCK
+### CHECKING REQUIRED PACKAGES.
+check_pkgs
+
+### ADVISORY LOCK.
 exec 127>/var/lock/ciss_live_builder.lock || {
  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
  exit "${ERR_FLOCK_WRTG}"
@@ -163,95 +178,90 @@ if ! flock -x -n 127; then
  exit "${ERR_FLOCK_COLL}"
 fi

-### CHECK FOR AUTOBUILD MODE
+### CHECK FOR AUTOBUILD MODE.
 for arg in "$@"; do case "${arg,,}" in -a=*|--autobuild=*) declare -gx VAR_HANDLER_AUTOBUILD="true"; declare -gx VAR_KERNEL="${arg#*=}";; esac; done; unset arg
 for dir in /usr/local/sbin /usr/sbin; do case ":${PATH}:" in *":${dir}:"*) ;; *) PATH="${PATH}:${dir}" ;; esac; done; export PATH; unset dir

-### CHECKING REQUIRED PACKAGES
-check_pkgs
-
-### DIALOG OUTPUT FOR INITIALIZATION
+### DIALOG OUTPUT FOR INITIALIZATION.
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi

-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi

-### Updating Status of Dialog Gauge Bar
-if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nAdditional initialization ... \nXXX\n30\n" >&3; fi
-
-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
-trap 'trap_on_exit "$?"' EXIT
-trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
+trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
+trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR

-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
 arg_check "$@"
-declare -ar ARY_ARG_SANITIZED=("$@")
-declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
+declare -ar  ARY_ARG_SANITIZED=("$@")
+declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"

-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
 arg_parser "$@"

-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip

-### Updating Status of Dialog Gauge Bar
+### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization completed ... \nXXX\n100\n" >&3; sleep 1; fi

-### Turn off Dialog Wrapper
+### Turn off the dialog wrapper.
 if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi

-### MAIN Program
+### MAIN Program ---------------------------------------------------------------------------------------------------------------
 arg_priority_check
 check_stats
+
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_provider; fi
 if ! ${VAR_HANDLER_AUTOBUILD}; then check_kernel; fi

-if [[ ! "${VAR_SSHFP}" == "true" ]]; then
-  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial"
-  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/root/.ssh/id_2025_ed25519_ciss_primordial.pub"
-fi
+ciss_upgrades_build
+hardening_ssh_tcp

-check_hooks
-hardening_ssh
+### Preparing the build environment.
 lb_config_start

-if [[ "${VAR_SUITE}" == "bookworm" ]]; then
+### Writing the build configuration.
+lb_config_write_trixie

-  lb_config_write
-  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_trixie.chroot"
-  rm -f "${SCRIPT_BASEPATH}/config/includes.chroot/etc/login.defs"
+### Init GNUPGHOME.
+init_gnupg

-else
-
-  lb_config_write_trixie
-  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/0003_install_backports.chroot"
-  rm -f "${SCRIPT_BASEPATH}/config/hooks/live/9998_sources_list_bookworm.chroot"
-
-fi
-
-# shellcheck disable=SC2164
-cd "${VAR_WORKDIR}"
+### Integrate primordial SSH identity files.
+init_primordial

+### Integrate the CISS.debian.live.builder repository into the build directory.
+### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
-hardening_root_pw
+
+### CISS.debian.installer 'GRUB' and 'autostart' generator.
+cdi
+
+### Final CISS.debian.live.builder integrations.
 change_splash
 check_dhcp
-cdi
-provider_netcup
+ciss_signatures
+ciss_upgrades_boot
+hardening_root_pw
 note_target
+provider_netcup
+update_microcode
+x_hooks
+x_remove

-### Start the build process
+### Start the build process ----------------------------------------------------------------------------------------------------
 set +o errtrace
 lb_build_start
-
 set -o errtrace
+
 run_analysis
 copy_db
-declare -g VAR_SCRIPT_SUCCESS=true
+declare -grx VAR_SCRIPT_SUCCESS="true"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/.keep
+++ b/config/hooks/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -13,15 +13,225 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-export DEBIAN_FRONTEND="noninteractive"
-apt-get update -qq
+# shellcheck disable=SC2155
+declare -gx VAR_DATE="$(date +%F)"

-mkdir -p /root/.ciss/dlb/{backup,log}
-chmod 0700 /root/.ciss/dlb/{backup,log}
+#######################################
+# Generates '/etc/default/ciss-xdg-profile'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_profile() {
+  cat << EOF >> /etc/default/ciss-xdg-profile
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Default toggles for ciss-xdg-profile
+# 1 = enable, 0 = disable
+
+ENABLE_XDG_BASH_HISTORY=1
+ENABLE_XDG_LESS_HISTORY=1
+ENABLE_XDG_ZSH_HISTORY=1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+  chmod 0644 /etc/default/ciss-xdg-profile
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_profile
+
+#######################################
+# Generates '/etc/profile.d/ciss-xdg.sh'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_sh() {
+  cat << EOF >| /etc/profile.d/ciss-xdg.sh
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+EOF
+  cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
+# shellcheck shell=sh
+
+# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.
+
+### XDG variables (do not override if already set).
+export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
+# shellcheck disable=SC2312
+if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
+  # shellcheck disable=SC2155
+  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
+fi
+
+### Create canonical directories idempotently with 0700.
+_xdg_umask="$(umask)"
+umask 077
+[ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
+[ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
+[ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
+[ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
+umask "${_xdg_umask}"
+unset _xdg_umask
+
+### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
+[ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
+  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
+  export HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+### Less history -> XDG_STATE_HOME
+if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
+  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
+  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
+fi
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  chmod 0755 /etc/profile.d/ciss-xdg.sh
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_sh
+
+#######################################
+# Generates '/root/ciss_xdg_tmp.sh'
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+generate_ciss_xdg_tmp_sh() {
+  cat << EOF >| /root/ciss_xdg_tmp.sh
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### XDG variables (do not override if already set).
+
+EOF
+  cat << 'EOF' >> /root/ciss_xdg_tmp.sh
+set -a
+
+# shellcheck disable=SC2034
+XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
+# shellcheck disable=SC2034
+XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
+# shellcheck disable=SC2034
+XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
+# shellcheck disable=SC2034
+XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
+# shellcheck disable=SC2034
+XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
+# shellcheck disable=SC2034
+XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"
+
+### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
+[[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile
+
+### Bash history -> XDG_STATE_HOME (only if running bash).
+if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
+  HISTFILE="${XDG_STATE_HOME}/bash/history"
+fi
+
+set +a
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  chmod 0700 /root/ciss_xdg_tmp.sh
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f generate_ciss_xdg_tmp_sh
+
+### Ensuring XDG compliance: https://specifications.freedesktop.org/basedir/latest/ --------------------------------------------
+generate_ciss_xdg_profile
+generate_ciss_xdg_sh
+generate_ciss_xdg_tmp_sh
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+apt-get update -qq
+apt-get install -y --no-install-suggests libpam-systemd
+
+
+### Installing microcode updates -----------------------------------------------------------------------------------------------
+if [[ -f /root/.architecture ]]; then
+
+  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
+  rm -f /root/.architecture
+
+fi
+
+### Prepare environment --------------------------------------------------------------------------------------------------------
+mkdir -p /root/.ciss/cdlb/{backup,log,private_keys}
+chmod 0700 /root/.ciss/cdlb/{backup,log,private_keys}

 mkdir -p /root/git
 chmod 0700 /root/git

+mkdir -p /etc/ciss/keys
+chmod 0755 /etc/ciss/keys
+
+### Mask apt show version unit and timer ---------------------------------------------------------------------------------------
+ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
+ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
+rm -f /etc/cron.daily/apt-show-versions || true
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -52,15 +52,16 @@ grep_nic_driver_modules() {

  return 0
 }
-
-export DEBIAN_FRONTEND="noninteractive"
-apt-get install -y intel-microcode amd64-microcode
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f grep_nic_driver_modules

 # shellcheck disable=SC2155
-declare nic_driver="$(grep_nic_driver_modules)"
+declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
+
 cat << EOF >| /etc/initramfs-tools/modules
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -82,19 +83,10 @@ cat << EOF >| /etc/initramfs-tools/modules
 # raid1
 # sd_mod

-### Load AppArmor early:
+### AppArmor -------------------------------------------------------------------------------------------------------------------
 apparmor

-### Entropy source for '/dev/random':
-jitterentropy_rng
-rng_core
-
-### Live-ISO-Stack:
-loop
-squashfs
-overlay
-
-### Main btrfs-Stack:
+### btrfs ----------------------------------------------------------------------------------------------------------------------
 btrfs
 lzo
 xor
@@ -102,28 +94,7 @@ xxhash
 zstd
 zstd_compress

-### Main ext4-Stack:
-ext4
-jbd2
-libcrc32c
-
-### Main VFAT/ESP/FAT/UEFI-Stack:
-exfat
-fat
-nls_ascii
-nls_cp437
-nls_iso8859-1
-nls_iso8859-15
-nls_utf8
-vfat
-
-### Device mapper, encryption & integrity:
-dm_mod
-dm_crypt
-dm_integrity
-dm_verity
-
-### Main cryptography-Stack:
+### cryptography ---------------------------------------------------------------------------------------------------------------
 aes_generic
 blake2b_generic
 crc32c_generic
@@ -133,54 +104,106 @@ sha256_generic
 sha512_generic
 xts

-### QEMU Bochs-compatible virtual machine support:
-bochs
+### cryptsetup -----------------------------------------------------------------------------------------------------------------
+dm_crypt
+dm_integrity
+dm_mod
+dm_verity

-### RAID6 parity generation module:
-raid6_pq
+### Entropy --------------------------------------------------------------------------------------------------------------------
+jitterentropy_rng
+rng_core

-### Combined RAID4/5/6 support module:
-raid456
+### ESP/FAT/UEFI ---------------------------------------------------------------------------------------------------------------
+exfat
+fat
+nls_ascii
+nls_cp437
+nls_iso8859-1
+nls_iso8859-15
+nls_utf8
+vfat

-### SCSI/SATA-Stack:
-sd_mod
-sr_mod
-sg
-ahci
-libahci
-ata_generic
-libata
-scsi_mod
-scsi_dh_alua
+### ext4 -----------------------------------------------------------------------------------------------------------------------
+ext4
+jbd2
+libcrc32c

-### NVMe-Stack:
+### Live-ISO -------------------------------------------------------------------------------------------------------------------
+loop
+squashfs
+overlay
+
+#### nftables ------------------------------------------------------------------------------------------------------------------
+#nf_log_common  # built-in
+#nft_counter    # built-in
+#nft_icmp       # built-in
+#nft_icmpv6     # built-in
+#nft_meta       # built-in
+#nft_set_hash   # built-in
+#nft_set_rbtree # built-in
+#nft_tcp        # built-in
+#nft_udp        # built-in
+nf_conntrack
+nf_nat
+nf_reject_ipv4
+nf_reject_ipv6
+nf_tables
+nfnetlink
+nfnetlink_log
+nft_ct
+nft_limit
+nft_log
+nft_masq
+nft_nat
+nft_reject_inet
+
+### NVMe -----------------------------------------------------------------------------------------------------------------------
 nvme
 nvme_core

-### USB-Stack:
-xhci_pci
-xhci_hcd
+### QEMU -----------------------------------------------------------------------------------------------------------------------
+bochs
+
+### RAID -----------------------------------------------------------------------------------------------------------------------
+raid456
+raid6_pq
+
+### SCSI/SATA ------------------------------------------------------------------------------------------------------------------
+ahci
+ata_generic
+libahci
+libata
+scsi_dh_alua
+scsi_mod
+sd_mod
+sg
+sr_mod
+
+### USB ------------------------------------------------------------------------------------------------------------------------
 ehci_pci
 ohci_pci
+uas
 uhci_hcd
 usb_storage
-uas
+xhci_hcd
+xhci_pci

-### Virtual-Machines-Stack:
-virtio_pci
+### Virtual --------------------------------------------------------------------------------------------------------------------
 virtio_blk
-virtio_scsi
-virtio_rng
 virtio_console
+virtio_pci
+virtio_rng
+virtio_scsi

-### Network Driver Host-machine:
+### Network Driver Host-machine ------------------------------------------------------------------------------------------------
 "${nic_driver}"

 EOF

-cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
+cat << EOF >| /etc/initramfs-tools/update-initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -201,7 +224,7 @@ cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf
 # If set to all update-initramfs will update all initramfs
 # If set to no disables any update to initramfs besides kernel upgrade

-update_initramfs=yes
+update_initramfs=all

 #
 # backup_initramfs [ yes | no ]
@@ -213,9 +236,9 @@ backup_initramfs=no

 EOF

-cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf
+cat << EOF >| /etc/initramfs-tools/initramfs.conf
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -277,10 +300,10 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1-9 for gzip|bzip2|lzma|lzop
-# 0-9 for  lz4|xz
-# 0-19 for zstd
-# COMPRESSLEVEL=3
+# 1...9 for gzip|bzip2|lzma|lzop
+# 0...9 for  lz4|xz
+# 0...19 for zstd
+COMPRESSLEVEL=16

 #
 # DEVICE: ...
@@ -317,45 +340,10 @@ FSTYPE=auto

 EOF

-cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
-#!/bin/sh
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-set -e
-
-PREREQ=""
-prereqs() { echo "$PREREQ"; }
-case $1 in
-  prereqs) prereqs; exit 0 ;;
-esac
-
-. /usr/share/initramfs-tools/hook-functions
-
-mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin"
-
-# Include Bash
-copy_exec /usr/bin/bash /usr/bin
-
-# Include lsblk (block device information tool)
-copy_exec /usr/bin/lsblk /usr/bin
-
-# Include udevadm (udev management tool)
-copy_exec /usr/bin/udevadm /usr/bin
-EOF
-
-chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
-
-### Regenerate the initramfs for the live system kernel
-update-initramfs -u -k all -v
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
+chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
+chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
+chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

--- a/config/hooks/live/0002_hardening_overlay_tmpfs.chroot
+++ b/config/hooks/live/0002_hardening_overlay_tmpfs.chroot
@@ -0,0 +1,63 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+VAR_DATE="$(date +%F)"
+
+cat << EOF >| /etc/systemd/system/ciss-remount-root.service
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Unit]
+Description=Remount overlay root with nosuid,nodev
+DefaultDependencies=no
+After=local-fs.target
+Before=basic.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,nosuid,nodev /
+
+[Install]
+WantedBy=sysinit.target
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+mkdir -p /etc/systemd/system/tmp.mount.d
+cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
+[Mount]
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+EOF
+
+mkdir -p /etc/systemd/system/dev-shm.mount.d
+cat << EOF >| /etc/systemd/system/dev-shm.mount.d/override.conf
+[Mount]
+Options=mode=1777,nosuid,nodev,noexec,size=25%
+EOF
+
+systemctl enable ciss-remount-root.service
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -1,142 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-target="/usr/lib/live/boot/0030-verify-checksums"
-src="$(mktemp)"
-
-if [[ ! -d /usr/lib/live/boot ]]; then
-  mkdir -p /usr/lib/live/boot
-fi
-
-cat << 'EOF' >| "${src}"
-#!/bin/sh
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-### Changed version of https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
-### In case of successful verification of the offered checksums, proceed with booting, else panic.
-
-### Inside 0002_verify_checksums.chroot ###
-
-#######################################
-# Live build ISO with the modified checksum verification script for continuing the boot process.
-# Globals:
-#   LIVE_BOOT_CMDLINE
-#   LIVE_VERIFY_CHECKSUMS
-#   LIVE_VERIFY_CHECKSUMS_DIGESTS
-#   _CHECKSUM
-#   _CHECKSUMS
-#   _DIGEST
-#   _MOUNTPOINT
-#   _PARAMETER
-#   _RETURN
-#   _TTY
-# Arguments:
-#   $1: ${_PARAMETER}
-# Returns:
-#   0 : Successful Verification
-#######################################
-Verify_checksums() {
-  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
-    case "${_PARAMETER}" in
-      live-boot.verify-checksums=* | verify-checksums=*)
-        LIVE_VERIFY_CHECKSUMS="true"
-        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
-        ;;
-
-      live-boot.verify-checksums | verify-checksums)
-        LIVE_VERIFY_CHECKSUMS="true"
-        ;;
-    esac
-  done
-
-  case "${LIVE_VERIFY_CHECKSUMS}" in
-    true) ;;
-
-    *)
-      return 0
-      ;;
-  esac
-
-  _MOUNTPOINT="${1}"
-
-  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
-  _TTY="/dev/tty8"
-
-  log_begin_msg "Verifying checksums"
-
-  # shellcheck disable=SC2164
-  cd "${_MOUNTPOINT}"
-
-  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
-    # shellcheck disable=SC2060
-    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
-
-    for _CHECKSUM in ${_CHECKSUMS}; do
-      if [ -e "${_CHECKSUM}" ]; then
-        echo "Found ${_CHECKSUM}..." > "${_TTY}"
-
-        if [ -e "/bin/${_DIGEST}sum" ]; then
-          echo "Checking ${_CHECKSUM}..." > "${_TTY}"
-
-          # Verify checksums
-          grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
-          _RETURN="${?}"
-
-          # Stop after the first verification
-          # break 2
-        else
-          echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
-        fi
-      fi
-    done
-  done
-
-  log_end_msg
-
-  case "${_RETURN}" in
-    0)
-      log_success_msg "Verification sha512 sha384 sha256 successful, continuing booting in 10 seconds."
-      sleep 10
-      return 0
-      ;;
-
-    *)
-      panic "Verification failed, $(basename ${_TTY}) for more information."
-      ;;
-  esac
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-# Copy and make executable
-install -Dm755 "${src}" "${target}"
-
-rm -f "${src}"
-
-unset target src
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0003_cdi_autostart.chroot
+++ b/config/hooks/live/0003_cdi_autostart.chroot
@@ -0,0 +1,52 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+if [[ -f /root/.cdi ]]; then
+
+  cat << EOF >| /etc/systemd/system/cdi-starter.service
+[Unit]
+Description=CISS CDI post-boot starter
+Documentation=https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+ConditionPathIsExecutable=/usr/local/sbin/9999_cdi_starter.sh
+After=live-config.service systemd-user-sessions.service getty.target
+After=network-online.target NetworkManager-wait-online.service systemd-networkd-wait-online.service
+Wants=network-online.target
+
+[Service]
+Type=idle
+ExecStart=/usr/local/sbin/9999_cdi_starter.sh
+TimeoutStartSec=1min
+Nice=5
+IOSchedulingClass=best-effort
+Environment=LANG=C.UTF-8
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  chmod 0644 /etc/systemd/system/cdi-starter.service
+
+  systemctl enable cdi-starter.service
+
+  rm -f /root/.cdi
+
+fi
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0007_update_logrotate.chroot
+++ b/config/hooks/live/0007_update_logrotate.chroot
@@ -0,0 +1,77 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
+rm -f         "/etc/logrotate.conf"
+cat << EOF >| "/etc/logrotate.conf"
+# See "man logrotate" for details. Global options do not affect preceding include directives.
+
+# Rotate log files daily
+daily
+
+# Keep 90 daily worth of backlogs.
+rotate 90
+
+# Hard cap: delete rotated logs older than 90 days.
+maxage 90
+
+# Do not rotate the log if it is empty (this overrides the ifempty option).
+notifempty
+
+# Create new (empty) log files after rotating old ones.
+create
+
+# Use date as a suffix of the rotated file.
+dateext
+
+# Use yesterday's instead of today's date to create the dateext extension, so that the rotated log file has a date in its name
+# that is the same as the timestamps within it.
+dateyesterday
+
+# Enable compression
+compress
+
+# Use zstd instead of gzip.
+compresscmd /usr/bin/zstd
+
+# File extension for compressed logs.
+compressext .zst
+
+# Set zstd level 3 (default).
+compressoptions -20
+
+# How to decompress for 'logrotate -d' or similar.
+uncompresscmd /usr/bin/unzstd
+
+# Keep the most recent rotation uncompressed for one cycle.
+delaycompress
+
+# Delete log files using shred -u instead of unlink().
+shred
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may also be configured here.
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0010_install_apparmor.chroot
+++ b/config/hooks/live/0010_install_apparmor.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra

 install -d /etc/systemd/system/apparmor.service.d
--- a/config/hooks/live/0020_dropbear_build.chroot
+++ b/config/hooks/live/0020_dropbear_build.chroot
@@ -0,0 +1,80 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_version="2025.88"
+declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
+declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
+
+mkdir -p "/root/build"
+cp "${var_tar}" "/root/build"
+tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+cp "/root/dropbear/localoptions.h" "${var_build_dir}"
+cd "${var_build_dir}"
+
+### Flag Purpose:
+#  -fPIE              : Generate position-independent executable code
+#  -pie               : Link the executable as PIE (so that ASLR works)
+#  -static            : Fully statically linked against musl
+#  -s                 : Strip unnecessary symbols directly during linking
+#  -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
+
+# shellcheck disable=SC2016,SC2312
+if ! setsid bash -c '
+    ### Sterile environment for the build-process.
+
+    export -n SHELLOPTS || true
+
+    set +u
+
+    unset PATH_SEPARATOR
+    PATH_SEPARATOR=":"
+    PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+    if ! command -v musl-gcc >/dev/null 2>&1; then
+      echo "ERROR: musl-gcc not found. Install musl-tools in chroot." >&2
+      exit 1
+    fi
+
+    CC=musl-gcc \
+      CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
+      LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
+      ./configure \
+      --enable-static \
+      --enable-openpty \
+      --disable-pam \
+      --disable-zlib
+
+    # shellcheck disable=2312
+    make -j"$(nproc)"
+  ' >| "${var_logfile}" 2>&1
+then
+
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
+  tail -n 42 "${var_logfile}" >&2 || true
+  exit 42
+
+fi
+
+  rm -rf /root/dropbear
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0021_dropbear_initramfs.chroot
+++ b/config/hooks/live/0021_dropbear_initramfs.chroot
@@ -0,0 +1,129 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+### Declare Arrays, HashMaps, and Variables.
+declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
+apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
+apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
+apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
+apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"
+
+mkdir -p /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount
+mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
+install -m 0755 -o root -g root /root/dropbear.file /usr/share/initramfs-tools/scripts/init-premount/dropbear
+rm -f /root/dropbear.file
+
+mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
+install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+
+for var_file in dbclient dropbearconvert dropbearkey; do
+
+  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
+  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+
+done
+
+mkdir -p /etc/initramfs-tools/scripts/init-bottom
+
+cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+### Stop dropbear shipped in the initramfs after root pivot.
+[ -x /bin/pidof ] || exit 0
+
+P=$(/bin/pidof dropbear 2>/dev/null) || true
+
+[ -n "${P}" ] || exit 0
+
+/bin/kill -TERM "${P}" 2>/dev/null || true
+/bin/sleep 1
+
+/bin/kill -KILL "${P}" 2>/dev/null || true
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+chmod 0755 /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
+
+cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Never install the dropbear daemon package at all.
+
+Package: dropbear
+Pin: release *
+Pin-Priority: -1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear-initramfs
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Keep the currently installed initramfs integration; never upgrade it.
+
+Package: dropbear-initramfs
+Pin: release *
+Pin-Priority: -1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+systemctl mask dropbear.service dropbear.socket
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -0,0 +1,152 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
+#######################################
+# Set up the 'dropbear-initramfs' environment.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+dropbear_setup() {
+  ### Declare Arrays, HashMaps, and Variables.
+  # shellcheck disable=SC2155
+  declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)"
+  declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
+
+  ### Prepare strong dropbear host keys.
+  rm -f /etc/dropbear/initramfs/dropbear*key*
+
+  if [[ -d /root/ssh ]]; then
+
+    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key        /etc/dropbear/initramfs/dropbear_ed25519_host_key
+    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
+
+  else
+
+    # shellcheck disable=SC2312
+    /usr/bin/dropbearkey -t ed25519     -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@live-$(date -I)"
+
+    # shellcheck disable=SC2312
+    /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key     -C "root@live-$(date -I)"
+
+  fi
+
+  chmod 0600 /etc/dropbear/initramfs/dropbear_ed25519_host_key
+  chmod 0644 /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
+
+  ### Prepare dropbear authorized_keys.
+  printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
+  chmod 0600 /etc/dropbear/initramfs/authorized_keys
+  install -m 0644 -o root -g root /etc/banner /etc/dropbear/initramfs/banner
+
+  ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
+  ### "IP=:::::<NIC>:dhcp"
+  printf "IP=::::::dhcp\n" >| /etc/initramfs-tools/conf.d/ip
+
+  ### Generate dropbear configuration file.
+  write_dropbear_conf
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f dropbear_setup
+
+#######################################
+# Write '/etc/dropbear/initramfs/dropbear.conf'.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+write_dropbear_conf() {
+  # shellcheck disable=SC2155
+  declare sshport="$(< /root/sshport)"
+  rm -f /root/sshport
+
+  [[ -z "${sshport:-}" ]] && sshport="2222"
+
+  ### CISS internal
+  [[ "${sshport}" == "42137" ]] && sshport="44137"
+
+  cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Configuration options for the dropbear-initramfs boot scripts.
+# Variable assignment follow shell semantics and escaping/quoting rules.
+# You must run update-initramfs(8) to effect changes to this file (like
+# for other files in the '/etc/dropbear/initramfs' directory).
+
+# Command line options to pass to dropbear(8).
+# Dropbear options for 2025+:
+# -b: Display the contents of bannerfile before user login
+# -E: Log to stderr
+# -I: Idle timeout in seconds
+# -K: Keepalive interval in seconds
+# -p: Specify port (and optionally address)
+# -w: Disable root login (SHOULD NOT be implemented for initramfs)
+DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${sshport}"
+
+# On local (non-NFS) mounts, interfaces matching this pattern are
+# brought down before exiting the ramdisk to avoid dirty network
+# configuration in the normal kernel.
+# The special value 'none' keeps all interfaces up and preserves routing
+# tables and addresses.
+#IFDOWN="*"
+
+# On local (non-NFS) mounts, the network stack and dropbear are started
+# asynchronously at init-premount stage.  This value specifies the
+# maximum number of seconds to wait (while the network/dropbear are
+# being configured) at init-bottom stage before terminating dropbear and
+# bringing the network down.
+# If the timeout is too short, and if the boot process is not blocking
+# on user input supplied via SSHd (ie no remote unlocking), then the
+# initrd might pivot to init(1) too early, thereby causing a race
+# condition between network configuration from initramfs vs from the
+# normal system.
+#DROPBEAR_SHUTDOWN_TIMEOUT=60
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f write_dropbear_conf
+
+dropbear_setup
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0050_activate_root.chroot
+++ b/config/hooks/live/0050_activate_root.chroot
@@ -25,8 +25,8 @@ fi
 cd /root

 # shellcheck disable=SC2312
-cp /etc/shadow /root/.ciss/dlb/backup/shadow.bak."$(date +%F_%T)"
-chmod 0600 /root/.ciss/dlb/backup/shadow.bak.*
+cp /etc/shadow /root/.ciss/cdlb/backup/shadow.bak."$(date +%F_%T)"
+chmod 0600 /root/.ciss/cdlb/backup/shadow.bak.*

 declare hashed_pwd
 declare safe_hashed_pwd
@@ -37,15 +37,13 @@ sed -i "s|^root:[^:]*:\(.*\)|root:${safe_hashed_pwd}:\1|" /etc/shadow
 sed -i "s|^user:[^:]*:\(.*\)|user:${safe_hashed_pwd}:\1|" /etc/shadow
 unset hashed_pwd safe_hashed_pwd

-cat /etc/shadow
+if shred -fzu -n 5 /root/.pwd; then

-if shred -vfzu -n 5 /root/.pwd; then
-
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: -vfzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"

 else

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: -vfzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2

 fi

--- a/config/hooks/live/0080_keyboard_layout.chroot
+++ b/config/hooks/live/0080_keyboard_layout.chroot
@@ -21,6 +21,8 @@ XKBOPTIONS=""
 BACKSPACE="guess"
 EOF

+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
--- a/config/hooks/live/0090_jitterentropy.chroot
+++ b/config/hooks/live/0090_jitterentropy.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -13,23 +13,19 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-DEBIAN_FRONTEND=noninteractive \
-  apt-get update && \
-    DEBIAN_FRONTEND=noninteractive \
-      apt-get install -y --no-install-recommends \
-        -o Dpkg::Options::="--force-confdef" \
-        -o Dpkg::Options::="--force-confold" \
-        -t bookworm-backports \
-        btrfs-progs \
-        curl \
-        debootstrap \
-        iproute2 \
-        ncat \
-        nmap \
-        ssh \
-        systemd \
-        systemd-sysv \
-        whois
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+apt-get install -y --no-install-recommends jitterentropy-rngd
+
+cd /root
+
+mkdir -p /etc/systemd/system/jitterentropy-rngd.service.d
+
+cat << 'EOF' >> /etc/systemd/system/jitterentropy-rngd.service.d/override.conf
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
+EOF

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

--- a/config/hooks/live/0100_ciss_mem_wipe.chroot
+++ b/config/hooks/live/0100_ciss_mem_wipe.chroot
@@ -0,0 +1,209 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
+apt-get install -y --no-install-recommends kexec-tools busybox-static
+
+install -d -m 0755 /boot/ciss-memwipe
+install -d -m 0755 /usr/local/sbin
+install -d -m 0755 /etc/systemd/system
+install -d -m 0755 /etc/default
+
+### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
+# shellcheck disable=SC2012,SC2155
+declare _kernel="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
+cp -f "/boot/vmlinuz-${_kernel}" /boot/ciss-memwipe/vmlinuz
+
+### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
+declare TMPDIR; TMPDIR="$(mktemp -d)"
+trap 'rm -rf "${TMPDIR}"' EXIT
+
+mkdir -p "${TMPDIR}"/{bin,dev,proc,sys,wipe}
+cp -f /bin/busybox.static "${TMPDIR}/bin/busybox"
+
+cat << 'EOF' >| "${TMPDIR}/init"
+#!/bin/busybox sh
+### Minimal init to wipe RAM, then power off.
+### Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
+set -eu
+
+get_arg() { # $1=key ; echoes value or empty
+
+  for tok in $(cat /proc/cmdline); do
+
+    case "${tok}" in
+      $1=*) echo "${tok#*=}"; return 0;;
+    esac
+
+  done
+
+  echo ""
+}
+
+mount -t devtmpfs devtmpfs /dev 2>/dev/null || true
+[ -e /dev/console ] || mknod -m 600 /dev/console c 5 1
+[ -e /dev/null ]    || mknod -m 666 /dev/null c 1 3
+[ -e /dev/urandom ] || mknod -m 444 /dev/urandom c 1 9
+
+mount -t proc proc /proc
+mount -t sysfs sysfs /sys
+
+PASSES="$(get_arg ciss_wipe_passes)"; [ -n "${PASSES}" ] || PASSES=2
+MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
+BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
+PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95
+
+echo 1 > /proc/sys/kernel/printk 2>/dev/null || true
+
+MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
+SIZE_KB=$(( MEM_KB * PCT / 100 ))
+mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe
+
+wipe_pass() {
+  pattern="$1"
+  if [ "${pattern}" = "zero" ]; then
+    src="/dev/zero"
+  else
+    src="/dev/urandom"
+  fi
+
+  i=0
+  while :; do
+    busybox dd if="${src}" of="/wipe/block_${i}" bs="${BS}" status=none || break
+    i=$((i+1))
+  done
+  sync
+  echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  rm -f /wipe/block_* 2>/dev/null || true
+  sync
+}
+
+DO_ZERO=0; DO_RANDOM=0
+case "${MODE}" in
+  zero) DO_ZERO=1 ;;
+  random) DO_RANDOM=1 ;;
+  zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
+  *) DO_ZERO=1 ;;
+esac
+
+p=1
+while [ ${p} -le "${PASSES}" ]; do
+  [ ${DO_ZERO} -eq 1 ] && wipe_pass zero
+  [ ${DO_RANDOM} -eq 1 ] && wipe_pass random
+  p=$((p+1))
+done
+
+sync
+busybox poweroff -f || echo o >| /proc/sysrq-trigger
+EOF
+
+chmod +x "${TMPDIR}/init"
+
+( cd "${TMPDIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
+
+cat << 'EOF' >| /etc/default/ciss-memwipe
+### CISS Memory Wipe defaults
+CISS_WIPE_PASSES=2           # number of passes
+CISS_WIPE_MODE="zero+random" # zero | random | zero+random
+CISS_WIPE_DD_BS="64M"        # dd block size
+CISS_WIPE_TMPFS_PCT=95       # percentage of MemTotal to allocate
+EOF
+
+cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
+#!/bin/bash
+# Prepare and execute kexec-based memory wipe.
+set -euo pipefail
+
+. /etc/default/ciss-memwipe || true
+
+KERNEL="/boot/ciss-memwipe/vmlinuz"
+INITRD="/boot/ciss-memwipe/initrd.img"
+
+append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"
+
+prepare() {
+  # Try to allow kexec if not locked down
+  if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
+    echo 0 > /proc/sys/kernel/kexec_load_disabled || true
+  fi
+  # Load wipe kernel
+  if command -v kexec >/dev/null 2>&1 && [ -s "${KERNEL}" ] && [ -s "${INITRD}" ]; then
+    kexec -l "${KERNEL}" --initrd="${INITRD}" --append="${append_common}" || true
+  fi
+}
+
+fallback_inplace() {
+  # Last-resort: wipe in-place via tmpfs and then power off
+  mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
+  i=0
+  while :; do
+    dd if=/dev/zero of="/run/wipe/blk_${i}" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
+    i=$((i+1))
+  done
+  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  rm -f /run/wipe/blk_* 2>/dev/null || true
+  sync
+  systemctl poweroff -f || poweroff -f || echo o > /proc/sysrq-trigger
+}
+
+execute() {
+  sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
+  # Prefer systemd's path if possible
+  if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
+    # If kexec image was loaded, systemctl kexec will use it
+    systemctl kexec || kexec -e || fallback_inplace
+  else
+    kexec -e || fallback_inplace
+  fi
+}
+
+case "${1:-}" in
+  prepare) prepare ;;
+  execute) execute ;;
+  *) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
+esac
+EOF
+chmod 0755 /usr/local/sbin/ciss-memwipe
+
+### Systemd service: load at boot, execute on shutdown
+cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
+[Unit]
+Description=CISS: preload and execute kexec-based RAM wipe on shutdown
+DefaultDependencies=no
+# Ensure we run late enough on shutdown, but early enough to take over
+Before=shutdown.target
+After=local-fs.target network.target multi-user.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/ciss-memwipe prepare
+# ExecStop runs during shutdown: jump into wipe kernel
+ExecStop=/usr/local/sbin/ciss-memwipe execute
+TimeoutStartSec=20s
+TimeoutStopSec=infinity
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl enable ciss-memwipe.service
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0120_set_hostname.chroot
+++ b/config/hooks/live/0120_set_hostname.chroot
@@ -12,10 +12,9 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

-mv /etc/hostname /root/.ciss/dlb/backup/hostname.bak
-mv /etc/mailname /root/.ciss/dlb/backup/mailname.bak
+mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
+mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak

 cat << 'EOF' >| /etc/hostname
 live.local
@@ -28,7 +27,6 @@ localhost.local
 EOF

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0130_machineid.chroot
+++ b/config/hooks/live/0130_machineid.chroot
@@ -12,7 +12,6 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -22,7 +21,7 @@ fi
 cat << 'EOF' >| /var/lib/dbus/machine-id
 b08dfa6083e7567a1921a715000001fb
 EOF
-chmod 644 /var/lib/dbus/machine-id
+chmod 0644 /var/lib/dbus/machine-id

 if [[ -f /etc/machine-id ]]; then
  rm /etc/machine-id
@@ -34,7 +33,6 @@ EOF
 chmod 644 /etc/machine-id

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0400_eza_install.chroot
+++ b/config/hooks/live/0400_eza_install.chroot
@@ -23,8 +23,9 @@ wget -qO- https://raw.githubusercontent.com/eza-community/eza/main/deb.asc | gpg
 echo "deb [signed-by=/etc/apt/keyrings/gierens.gpg] http://deb.gierens.de stable main" | tee /etc/apt/sources.list.d/gierens.list
 chmod 644 /etc/apt/keyrings/gierens.gpg /etc/apt/sources.list.d/gierens.list

-export DEBIAN_FRONTEND="noninteractive"
-apt-get update
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+apt-get update -qq
 apt-get install -y eza

 git clone https://github.com/eza-community/eza-themes.git
--- a/config/hooks/live/0800_lynis_setup.chroot
+++ b/config/hooks/live/0800_lynis_setup.chroot
@@ -16,11 +16,452 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list

-export DEBIAN_FRONTEND="noninteractive"
-apt-get update
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+apt-get update -qq
 apt-get install -y lynis
 lynis show version

+cat << EOF_LYNIS >| /etc/lynis/default.prf
+#################################################################################
+#
+#
+# Lynis - Default scan profile
+#
+#
+#################################################################################
+#
+#
+# This profile provides Lynis with most of its initial values to perform a
+# system audit.
+#
+#
+# WARNINGS
+# ----------
+#
+# Do NOT make changes to this file. Instead, copy only your changes into
+# the file custom.prf and put it in the same directory as default.prf
+#
+# To discover where your profiles are located: lynis show profiles
+#
+#
+# Lynis performs a strict check on profiles to avoid the inclusion of
+# possibly harmful injections. See include/profiles for details.
+#
+#
+#################################################################################
+#
+# All empty lines or with the # prefix will be skipped
+#
+#################################################################################
+
+# Use colored output
+colors=yes
+
+# Compressed uploads (set to zero when errors with uploading occur)
+compressed-uploads=yes
+
+# Amount of connections in WAIT state before reporting it as a suggestion
+#connections-max-wait-state=5000
+
+# Debug mode (for debugging purposes, extra data logged to screen)
+#debug=yes
+
+# Show non-zero exit code when warnings are found
+error-on-warnings=no
+
+# Use Lynis in your own language (by default auto-detected)
+language=
+
+# Log tests from another guest operating system (default: yes)
+#log-tests-incorrect-os=yes
+
+# Define if available NTP daemon is configured as a server or client on the network
+# values: server or client (default: client)
+#ntpd-role=client
+
+# Defines the role of the system (personal, workstation or server)
+machine-role=server
+
+# Ignore some stratum 16 hosts (for example when running as time source itself)
+#ntp-ignore-stratum-16-peer=127.0.0.1
+
+# Profile name, will be used as title/description
+profile-name=Default Audit Template
+
+# Number of seconds to pause between every test (0 is no pause)
+pause-between-tests=0
+
+# Quick mode (do not wait for keypresses)
+quick=yes
+
+# Refresh software repositories to help detecting vulnerable packages
+refresh-repositories=yes
+
+# Show solution for findings
+show-report-solution=yes
+
+# Show inline tips about the tool
+show-tool-tips=yes
+
+# Skip plugins
+skip-plugins=no
+
+# Skip a test (one per line)
+#skip-test=SSH-7408
+skip-test=KRNL-5788
+skip-test=KRNL-5830
+skip-test=AUTH-9229
+
+# Skip a particular option within a test (when applicable)
+#skip-test=SSH-7408:loglevel
+#skip-test=SSH-7408:permitrootlogin
+
+# Skip Lynis upgrade availability test (default: no)
+#skip-upgrade-test=yes
+
+# Locations where to search for SSL certificates (separate paths with a colon)
+ssl-certificate-paths=/etc/apache2:/etc/dovecot:/etc/httpd:/etc/letsencrypt:/etc/pki:/etc/postfix:/etc/refind.d/keys:/etc/ssl:/opt/psa/var/certificates:/usr/local/psa/var/certificates:/usr/local/share/ca-certificates:/usr/share/ca-certificates:/usr/share/gnupg:/var/www:/srv/www
+ssl-certificate-paths-to-ignore=/etc/letsencrypt/archive:
+ssl-certificate-include-packages=no
+
+# Scan type - how deep the audit should be (light, normal or full)
+test-scan-mode=full
+
+# Verbose output
+verbose=no
+
+
+#################################################################################
+#
+# Plugins
+# ---------------
+# Define which plugins are enabled
+#
+# Notes:
+# - Nothing happens if plugin isn't available
+# - There is no order in execution of plugins
+# - See documentation about how to use plugins and phases
+# - Some are for Lynis Enterprise users only
+#
+#################################################################################
+
+# Lynis plugins to enable
+plugin=authentication
+plugin=compliance
+plugin=configuration
+plugin=control-panels
+plugin=crypto
+plugin=dns
+plugin=docker
+plugin=file-integrity
+plugin=file-systems
+plugin=firewalls
+plugin=forensics
+plugin=hardware
+plugin=intrusion-detection
+plugin=intrusion-prevention
+plugin=kernel
+plugin=malware
+plugin=memory
+plugin=nginx
+plugin=pam
+plugin=processes
+plugin=security-modules
+plugin=software
+plugin=system-integrity
+plugin=systemd
+plugin=users
+plugin=krb5
+
+# Disable a particular plugin (will overrule an enabled plugin)
+#disable-plugin=authentication
+
+#################################################################################
+#
+# Kernel options
+# ---------------
+# config-data=, followed by:
+#
+# - Type                     = Set to 'sysctl'
+# - Setting                  = value of sysctl key (e.g. kernel.sysrq)
+# - Expected value           = Preferred value for key (e.g. 0)
+# - Hardening Points         = Number of hardening points (typically 1 point per key) (1)
+# - Description              = Textual description about the sysctl key(Disable magic SysRQ)
+# - Related file or command  = For example, sysctl -a to retrieve more details
+# - Solution field           = Specifies more details or where to find them (url:URL, text:TEXT, or -)
+#
+#################################################################################
+
+# Config
+# - Type (sysctl)
+# - Setting (kernel.sysrq)
+# - Expected value (0)
+# - Hardening Points (1)
+# - Description (Disable magic SysRQ)
+# - Related file or command (sysctl -a)
+# - Solution field (url:URL, text:TEXT, or -)
+
+# Processes
+config-data=sysctl;security.bsd.see_other_gids;0;1;Groups only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.see_other_uids;0;1;Users only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable stack smashing protection (SSP)/ProPolice to defend against possible buffer overflows;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged processes can not use process debugging;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged processes can not read the kernel message buffer;sysctl -a;-;category:security;
+
+# Kernel
+config-data=sysctl;fs.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_fifos;2;1;Restrict FIFO special device creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_hardlinks;1;1;Restrict hardlink creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_regular;2;1;Restrict regular files creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+config-data=sysctl;fs.protected_symlinks;1;1;Restrict symlink following behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security;
+#config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security;
+config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_setuid_ok;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_uses_pid;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.ctrl-alt-del;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.dmesg_restrict;1;1;Restrict use of dmesg;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.perf_event_paranoid;2|3|4;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.unprivileged_bpf_disabled;1;1;Restrict BPF for unprivileged users;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.yama.ptrace_scope;1|2|3;1;Disable process tracing for everyone;-;category:security;
+
+# Network
+config-data=sysctl;net.core.bpf_jit_harden;2;1;Hardened BPF JIT compilation;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0;
+config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security;
+#config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security;
+config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove the TIME_WAIT state for loopback interface;-;category:security;
+config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable MTU discovery as many hosts drop the ICMP type 3 packets;-;category:security;
+config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP may not send RST to avoid spoofed ICMP/UDP floods;-;category:security;
+config-data=sysctl;net.inet.icmp.drop_redirect;1;1;Do not allow redirected ICMP packets;-;category:security;
+config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable timestamps;-;category:security;
+config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip.check_interface;1;1;Verify that a packet arrived on the right interface;-;category:security;
+config-data=sysctl;net.inet.ip.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet.ip.process_options;0;1;Ignore any IP options in the incoming packets;-;category:security;
+config-data=sysctl;net.inet.ip.random_id;1;1;Use a random IP id to each packet leaving the system;-;category:security;
+config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic when delivered to closed TCP port;-;category:security;
+config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN packets will be dropped on initial connection;-;category:security;
+config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic when delivered to closed UDP port;-;category:security;
+config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable filtering;-;category:security;
+config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.bootp_relay;0;1;Do not relay BOOTP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.mc_forwarding;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.proxy_arp;0;1;Do not relay ARP packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.rp_filter;1;1;Enforce ingress/egress filtering for packets;-;category:security;
+config-data=sysctl;net.ipv4.conf.all.send_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv4.conf.default.log_martians;1;1;Log all packages for which the host does not have a path back to the source;-;category:security;
+config-data=sysctl;net.ipv4.icmp_echo_ignore_broadcasts;1;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.ipv4.icmp_ignore_bogus_error_responses;1;1;Ignore-;category:security;
+#config-data=sysctl;net.ipv4.ip_forward;0;1;Do not forward traffic;-;category:security;
+config-data=sysctl;net.ipv4.tcp_syncookies;1;1;Use SYN cookies to prevent SYN attack;-;category:security;
+config-data=sysctl;net.ipv4.tcp_timestamps;0|1;1;Disable TCP time stamps or enable them with different offsets;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.send_redirects;0;1;Disable/ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
+config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
+
+# Other
+config-data=sysctl;dev.tty.ldisc_autoload;0;1;Disable loading of TTY line disciplines;-;category:security;
+config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security;
+#sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
+#security.jail.jailed; 0
+#security.jail.jail_max_af_ips; 255
+#security.jail.mount_allowed; 0
+#security.jail.chflags_allowed; 0
+#security.jail.allow_raw_sockets; 0
+#security.jail.enforce_statfs; 2
+#security.jail.sysvipc_allowed; 0
+#security.jail.socket_unixiproute_only; 1
+#security.jail.set_hostname_allowed; 1
+#security.bsd.suser_enabled; 1
+#security.bsd.unprivileged_proc_debug; 1
+#security.bsd.conservative_signals; 1
+#security.bsd.unprivileged_read_msgbuf; 1
+#security.bsd.unprivileged_get_quota; 0
+config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other groups;-;category:security;
+config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
+
+
+#################################################################################
+#
+# permfile
+# ---------------
+# permfile=file name:file permissions:owner:group:action:
+# Action = NOTICE or WARN
+# Examples:
+# permfile=/etc/test1.dat:600:root:wheel:NOTICE:
+# permfile=/etc/test1.dat:640:root:-:WARN:
+#
+#################################################################################
+
+#permfile=/etc/inetd.conf:rw-------:root:-:WARN:
+#permfile=/etc/fstab:rw-r--r--:root:-:WARN:
+permfile=/boot/grub/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/grub.cfg:rw-------:root:root:WARN:
+permfile=/boot/grub2/user.cfg:rw-------:root:root:WARN:
+permfile=/etc/at.allow:rw-------:root:-:WARN:
+permfile=/etc/at.deny:rw-------:root:-:WARN:
+permfile=/etc/cron.allow:rw-------:root:-:WARN:
+permfile=/etc/cron.deny:rw-------:root:-:WARN:
+permfile=/etc/crontab:rw-------:root:-:WARN:
+permfile=/etc/group:rw-r--r--:root:-:WARN:
+permfile=/etc/group-:rw-r--r--:root:-:WARN:
+permfile=/etc/hosts.allow:rw-r--r--:root:root:WARN:
+permfile=/etc/hosts.deny:rw-r--r--:root:root:WARN:
+permfile=/etc/issue:rw-r--r--:root:root:WARN:
+permfile=/etc/issue.net:rw-r--r--:root:root:WARN:
+permfile=/etc/lilo.conf:rw-------:root:-:WARN:
+permfile=/etc/motd:rw-r--r--:root:root:WARN:
+permfile=/etc/passwd:rw-r--r--:root:-:WARN:
+permfile=/etc/passwd-:rw-r--r--:root:-:WARN:
+permfile=/etc/ssh/sshd_config:rw-------:root:-:WARN:
+permfile=/etc/hosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/etc/shosts.equiv:rw-r--r--:root:root:WARN:
+permfile=/root/.rhosts:rw-------:root:root:WARN:
+permfile=/root/.rlogin:rw-------:root:root:WARN:
+permfile=/root/.shosts:rw-------:root:root:WARN:
+
+# These permissions differ by OS
+#permfile=/etc/gshadow:---------:root:-:WARN:
+#permfile=/etc/gshadow-:---------:root:-:WARN:
+#permfile=/etc/shadow:---------:root:-:WARN:
+#permfile=/etc/shadow-:---------:root:-:WARN:
+
+
+#################################################################################
+#
+# permdir
+# ---------------
+# permdir=directory name:file permissions:owner:group:action when permissions are different:
+#
+#################################################################################
+
+permdir=/root/.ssh:rwx------:root:-:WARN:
+permdir=/etc/cron.d:rwx------:root:root:WARN:
+permdir=/etc/cron.daily:rwx------:root:root:WARN:
+permdir=/etc/cron.hourly:rwx------:root:root:WARN:
+permdir=/etc/cron.weekly:rwx------:root:root:WARN:
+permdir=/etc/cron.monthly:rwx------:root:root:WARN:
+
+
+# Ignore some specific home directories
+# One directory per line; directories will be skipped for home directory specific
+# checks, like file permissions, SSH and other configuration files
+#ignore-home-dir=/home/user
+
+
+# Allow promiscuous interfaces
+#   <option>:<promiscuous interface name>:<description>:
+#if_promisc:pflog0:pf log daemon interface:
+
+
+# The URL prefix and append to the URL for controls or your custom tests
+# Link will be formed as {control-url-protocol}://{control-url-prepend}CONTROL-ID{control-url-append}
+#control-url-protocol=https
+#control-url-prepend=cisofy.com/control/
+#control-url-append=/
+
+# The URL prefix and append to URL's for your custom tests
+#custom-url-protocol=https
+#custom-url-prepend=your-domain.example.org/control-info/
+#custom-url-append=/
+
+
+#################################################################################
+#
+# Operating system specific
+# -------------------------
+#
+#################################################################################
+
+# Skip the FreeBSD portaudit test
+#freebsd-skip-portaudit=yes
+
+# Skip security repository check for Debian based systems
+#debian-skip-security-repository=yes
+
+
+
+#################################################################################
+#
+# Lynis Enterprise options
+# ------------------------
+#
+#################################################################################
+
+# Allow this system to be purged when it is outdated (default: not defined).
+# This is useful for ephemeral systems which are short-lived.
+#allow-auto-purge=yes
+
+# Sometimes it might be useful to override the host identifiers.
+# Use only hexadecimal values (0-9, a-f), with 40 and 64 characters in length.
+#
+#hostid=40-char-hash
+#hostid2=64-char-hash
+
+# Lynis Enterprise license key
+license-key=
+
+# Proxy settings
+# Protocol (http, https, socks5)
+#proxy-protocol=https
+
+# Proxy server
+#proxy-server=10.0.1.250
+
+# Define proxy port to use
+#proxy-port=3128
+
+# Define the group names to link to this system (preferably single words). Default setting: append
+# To clear groups before assignment, add 'action:clear' as last groupname
+#system-groups=groupname1,groupname2,groupname3
+
+# Define which compliance standards are audited and reported on. Disable this if not required.
+compliance-standards=cis,hipaa,iso27001,pci-dss
+
+# Provide the name of the customer/client
+#system-customer-name=mycustomer
+
+# Upload data to central server
+upload=no
+
+# The hostname/IP address to receive the data
+upload-server=
+
+# Provide options to cURL (or other upload tool) when uploading data.
+# upload-options=--insecure (use HTTPS, but skip certificate check for self-signed certificates)
+upload-options=
+
+# Link one or more tags to a system
+#tags=db,production,ssn-1304
+
+#EOF
+EOF_LYNIS
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/hooks/live/0810_chrony_setup.chroot
+++ b/config/hooks/live/0810_chrony_setup.chroot
@@ -15,15 +15,16 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "

 mkdir -p /var/log/chrony

-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 export TZ="Etc/UTC"

 apt-get install -y adjtimex chrony tzdata

 systemctl enable chrony.service

-mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/chrony.conf.bak
+mv /etc/chrony/chrony.conf /root/.ciss/cdlb/backup/chrony.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/chrony.conf.bak

 cat << EOF >| /etc/chrony/chrony.conf
 # SPDX-Version: 3.0
@@ -50,13 +51,13 @@ log tracking measurements statistics

 authselectmode require

-server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
+# server ntp.ripe.net      iburst nts minpoll 5 maxpoll 9
 server ptbtime3.ptb.de   iburst nts minpoll 5 maxpoll 9
 server ptbtime2.ptb.de   iburst nts minpoll 5 maxpoll 9
 server ptbtime1.ptb.de   iburst nts minpoll 5 maxpoll 9
-server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
-server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
-server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
+# server ntp13.metas.ch    iburst nts minpoll 5 maxpoll 9
+# server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9
+# server sth1.ntp.se       iburst nts minpoll 5 maxpoll 9
 server ntp0.fau.de       iburst nts minpoll 5 maxpoll 9

 leapsectz right/UTC
@@ -110,6 +111,8 @@ if [[ -e /usr/share/zoneinfo/right/UTC ]]; then

 fi

+chronyd -Q -f /etc/chrony/chrony.conf 2>&1
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/hooks/live/0822_ssh_restart_hook.chroot
+++ b/config/hooks/live/0822_ssh_restart_hook.chroot
@@ -20,7 +20,7 @@ cat << 'EOF' >| "${target_script}"
@reboot root /usr/local/bin/restart-ssh.sh
 EOF

-chmod 0644 "${target_script}"
+chmod 0444 "${target_script}"

 cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
 #!/bin/bash
--- a/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
+++ b/config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - && \
 apt-get install -y nodejs

--- a/config/hooks/live/0845_harbian_audit.chroot
+++ b/config/hooks/live/0845_harbian_audit.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0850_ssh_audit.chroot
+++ b/config/hooks/live/0850_ssh_audit.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0855_dnsviz.chroot
+++ b/config/hooks/live/0855_dnsviz.chroot
@@ -12,13 +12,11 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0860_sops.chroot
+++ b/config/hooks/live/0860_sops.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-export DEBIAN_FRONTEND=noninteractive
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"

 SOPS_VER="v3.11.0"
 ARCH="$(dpkg --print-architecture)"
@@ -39,14 +40,16 @@ cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
 sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing

 install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
-sops --version --check-for-updates
-age --version
+sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
+age --version                      >| /root/.ciss/cdlb/log/age.log

 rm -f "/tmp/${SOPS_FILE}"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"

+chmod 0400 /root/.config/sops/age/keys.txt
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/hooks/live/0090_haveged.chroot
+++ b/config/hooks/live/0090_haveged.chroot
@@ -13,17 +13,12 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-export DEBIAN_FRONTEND="noninteractive"
-apt-get install -y --no-install-recommends haveged
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"

-cd /root
-cat << 'EOF' >| /etc/default/haveged
-# Configuration file for haveged
-
-# Options to pass to haveged:
-DAEMON_ARGS="-w 2048 -v 1"
-EOF
+wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/local/bin/yq && chmod +x /usr/local/bin/yq

+yq --version

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

--- a/config/hooks/live/0870_bashdb.chroot
+++ b/config/hooks/live/0870_bashdb.chroot
@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+umask 0077
+
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
+apt-get install -y texinfo
+
+cd /root/git
+git clone https://github.com/Trepan-Debuggers/bashdb.git
+cd /root/git/bashdb
+./autogen.sh
+make
+
+apt-get purge -y texinfo
+apt-get autoremove --purge -y
+apt-get autoclean -y
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/0900_ufw_setup.chroot
+++ b/config/hooks/live/0900_ufw_setup.chroot
@@ -12,10 +12,9 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-# sleep 1

 declare -r UFW_OUT_POLICY="deny"
-declare -r SSHPORT="MUST_BE_SET"
+declare -r SSHPORT="SSHPORT_MUST_BE_SET"

 ufw --force reset

@@ -51,6 +50,7 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  853/udp comment 'Outgoing DoQ'
 fi

+### Allowing ICMP IPv4 outgoing per default.
 sed -i "/# ok icmp code for FORWARD/i \# ok icmp codes for OUTPUT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type destination-unreachable -j ACCEPT" /etc/ufw/before.rules
 sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type time-exceeded -j ACCEPT" /etc/ufw/before.rules
@@ -61,7 +61,6 @@ sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9900_process_accounting.chroot
+++ b/config/hooks/live/9900_process_accounting.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y acct

 if [[ ! -d /etc/systemd/system/multi-user.target.wants ]]; then
--- a/config/hooks/live/9910_motd.chroot
+++ b/config/hooks/live/9910_motd.chroot
@@ -13,8 +13,8 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-mkdir -p /root/.ciss/dlb/backup/update-motd.d
-cp -af /etc/update-motd.d/* /root/.ciss/dlb/backup/update-motd.d
+mkdir -p /root/.ciss/cdlb/backup/update-motd.d
+cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d

 cat << 'EOF' >| /etc/update-motd.d/10-uname
 #!/bin/sh
--- a/config/hooks/live/9920_deleting_invalid_x509.chroot
+++ b/config/hooks/live/9920_deleting_invalid_x509.chroot
@@ -14,7 +14,7 @@ set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
-declare backup_dir="/root/.ciss/dlb/backup/certificates"
+declare backup_dir="/root/.ciss/cdlb/backup/certificates"
 declare current_date
 current_date=$(date +%s)
 declare -ax expired_certificates=()
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -12,29 +12,47 @@
 set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+declare _key=""
+
+cd /etc/ssh

-cd /etc/ssh || {
-  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
-}
 rm -rf ssh_host_*key*

-# shellcheck disable=SC2312
-ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
-# shellcheck disable=SC2312
-ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
+if [[ -d /root/ssh ]]; then

-awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
-rm -rf /etc/ssh/moduli
-mv /etc/ssh/moduli.safe /etc/ssh/moduli
+  if compgen -G "/root/ssh/ssh_host_*" > /dev/null; then
+    mv -t /etc/ssh -- /root/ssh/ssh_host_*
+  fi
+
+  if compgen -G "/root/ssh/*sha256sum.txt" > /dev/null; then
+    mv -t /etc/ssh -- /root/ssh/*sha256sum.txt
+  fi
+
+  rm -rf /root/ssh
+
+else
+
+  # shellcheck disable=SC2312
+  ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"
+
+  # shellcheck disable=SC2312
+  ssh-keygen -o -N "" -t rsa -b 8192 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"
+
+fi

 chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
+chmod 0440 /etc/ssh/*sha256sum.txt
+chown root:root /etc/ssh/*sha256sum.txt

-chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
+awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
+rm -rf /etc/ssh/moduli
+mv /etc/ssh/moduli.safe /etc/ssh/moduli
+
+chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config

-touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp

 ###########################################################################################
@@ -77,6 +95,23 @@ Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf

+### Final checks. Verify host keys after installation.
+if command -v ssh-keygen >/dev/null 2>&1; then
+
+  for _key in /etc/ssh/ssh_host_*key; do
+
+    ### Only consider regular files
+    [[ -f "${_key}" ]] || continue
+
+    ssh-keygen -lf "${_key}" >/dev/null || exit 42
+    ssh-keygen -yf "${_key}" >/dev/null || exit 42
+
+  done
+
+fi
+
+/usr/sbin/sshd -t || exit 42
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/hooks/live/9935_hardening_ssh.chroot.tmpl
+++ b/config/hooks/live/9935_hardening_ssh.chroot.tmpl
@@ -1,93 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-cd /etc/ssh || {
-  printf "\e[91mm++++ ++++ ++++ ++++ ++++ ++++ ++ Could not find /etc/ssh \e[0m\n"
-}
-
-cat << 'EOF' >| ssh_host_ed25519_key
-{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY }}
-EOF
-
-cat << 'EOF' >| ssh_host_ed25519_key.pub
-{{ secrets.CISS_DLB_SSH_HOST_ED25519_KEY_PUB }}
-EOF
-
-cat << 'EOF' >| ssh_host_rsa_key
-{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY }}
-EOF
-
-cat << 'EOF' >| ssh_host_rsa_key.pub
-{{ secrets.CISS_DLB_SSH_HOST_RSA_KEY_PUB }}
-EOF
-
-awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
-rm -rf /etc/ssh/moduli
-mv /etc/ssh/moduli.safe /etc/ssh/moduli
-
-chmod 0600 /etc/ssh/ssh_host_*_key
-chown root:root /etc/ssh/ssh_host_*_key
-chmod 0644 /etc/ssh/ssh_host_*_key.pub
-chown root:root /etc/ssh/ssh_host_*_key.pub
-
-chmod 600 /etc/ssh/sshd_config /etc/ssh/ssh_config
-
-touch /root/sshfp
-ssh-keygen -r @ >| /root/sshfp
-
-###########################################################################################
-# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
-# environment variables: TMOUT and HISTFILE.                                              #
-# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
-# readonly HISTFILE ensures that the command history cannot be changed.                   #
-# The chmod +x command ensures that the file is executed in every shell session.          #
-###########################################################################################
-cat << 'EOF' >| /etc/profile.d/idle-users.sh
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-case $- in
-  *i*)
-    TMOUT=14400
-    export TMOUT
-    readonly TMOUT
-  ;;
-esac
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-chmod +x /etc/profile.d/idle-users.sh
-
-mkdir -p /etc/systemd/system/ssh.service.d
-cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
-[Unit]
-After=ufw.service
-Requires=ufw.service
-EOF
-chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9940_hardening_memory.dump.chroot
+++ b/config/hooks/live/9940_hardening_memory.dump.chroot
@@ -1,6 +1,6 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -13,27 +13,74 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-cp -u /etc/security/limits.conf /root/.ciss/dlb/backup/limits.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/limits.conf.bak
+cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak

-grep -Eq '^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
-  || sed -i -E '/^[[:space:]]*#?[[:space:]]*soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/ i\*               soft    core            0' /etc/security/limits.conf
+### Comment any existing active core settings to avoid conflicts, both soft/hard, any domain including "*".
+sed -i -E '
+/^[[:space:]]*\*[[:space:]]+soft[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
+/^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$/d
+/^[[:space:]]*#\*               soft    core            0$/d
+/^[[:space:]]*#root            hard    core            100000$/d
+/^[[:space:]]*#\*               hard    rss             10000$/d
+/^[[:space:]]*#@student        hard    nproc           20$/d
+/^[[:space:]]*#@faculty        soft    nproc           20$/d
+/^[[:space:]]*#@faculty        hard    nproc           50$/d
+/^[[:space:]]*#ftp             hard    nproc           0$/d
+/^[[:space:]]*#ftp             -       chroot          \/ftp$/d
+/^[[:space:]]*#@student        -       maxlogins       4$/d
+/^[[:space:]]*# End of file/i\
+*               soft    core            0\
+*               hard    core            0
+' /etc/security/limits.conf

-grep -Eq '^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+0[[:space:]]*$' /etc/security/limits.conf \
-  || sed -i -E '/^[[:space:]]*#?[[:space:]]*root[[:space:]]+hard[[:space:]]+core[[:space:]]+100000[[:space:]]*$/ i\*               hard    core            0' /etc/security/limits.conf
+mkdir -p /etc/systemd/coredump.conf.d
+mkdir -p /etc/security/limits.d

-if [[ ! -d /etc/systemd/coredump.conf.d ]]; then
+cat << EOF >| /etc/security/limits.d/9999-ciss-coredump-disable.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu

-  mkdir -p /etc/systemd/coredump.conf.d
+*               soft    core            0
+*               hard    core            0
+root            soft    core            0
+root            hard    core            0

-fi
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+chmod 0644 /etc/security/limits.d/9999-ciss-coredump-disable.conf
+
+cat << EOF >| /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu

-touch /etc/systemd/coredump.conf.d/disable.conf
-chmod 0644 /etc/systemd/coredump.conf.d/disable.conf
-cat << EOF >| /etc/systemd/coredump.conf.d/disable.conf
 [Coredump]
 Storage=none
+ProcessSizeMax=0
+ExternalSizeMax=0
+JournalSizeMax=0
+MaxUse=0
+KeepFree=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
+chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

--- a/config/hooks/live/9950_fail2ban_hardening.chroot
+++ b/config/hooks/live/9950_fail2ban_hardening.chroot
@@ -1,146 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-cd /root
-
-cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/dlb/backup/fail2ban.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/fail2ban.conf.bak
-
-### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
-sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
-
-mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/dlb/backup/defaults-debian.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/defaults-debian.conf.bak
-
-cat << 'EOF' >| /etc/fail2ban/jail.d/centurion-default.conf
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-[DEFAULT]
-usedns    = yes
-# local | vpn
-ignoreip  = 127.0.0.0/8 ::1 MUST_BE_SET
-maxretry  = 8
-findtime  = 24h
-bantime   = 24h
-
-### SSH Handling: Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
-###               Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
-
-[sshd]
-enabled   = true
-backend   = systemd
-filter    = sshd
-mode      = normal
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 4
-findtime  = 24h
-bantime   = 24h
-
-[sshd-refused]
-enabled   = true
-filter    = sshd-refused
-port      = MUST_BE_SET
-protocol  = tcp
-logpath   = /var/log/auth.log
-maxretry  = 1
-findtime  = 24h
-bantime   = 24h
-
-# ufw aggressive approach:
-# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, 443, ...).
-# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after one attempt.
-
-[ufw]
-enabled   = true
-filter    = ufw.aggressive
-action    = iptables-allports
-logpath   = /var/log/ufw.log
-maxretry  = 1
-findtime  = 24h
-bantime   = 24h
-protocol  = tcp,udp
-
-EOF
-
-cat << EOF >| /etc/fail2ban/filter.d/ufw.aggressive.conf
-[Definition]
-failregex = ^.*UFW BLOCK.* SRC=<HOST> .*DPT=\d+ .*
-EOF
-
-cat << EOF >| /etc/fail2ban/filter.d/sshd-refused.conf
-[Definition]
-failregex = ^refused connect from \S+ \(<HOST>\)
-EOF
-
-###########################################################################################
-# Remarks: hardening of fail2ban systemd                                                  #
-###########################################################################################
-# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
-# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
-# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
-# operate # on any firewall that has a command-line shell interface. By using             #
-# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
-# allows Fail2ban to have write access on required paths.                                 #
-###########################################################################################
-mkdir -p /etc/systemd/system/fail2ban.service.d
-mkdir /var/log/fail2ban
-
-cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
-[Service]
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectHome=read-only
-ProtectSystem=strict
-ReadWritePaths=-/var/run/fail2ban
-ReadWritePaths=-/var/lib/fail2ban
-ReadWritePaths=-/var/log/fail2ban
-ReadWritePaths=-/var/spool/postfix/maildrop
-ReadWritePaths=-/run/xtables.lock
-CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
-
-### Added by CISS.debian.live.builder
-ProtectClock=true
-ProtectHostname=true
-
-EOF
-
-cat << 'EOF' >> /etc/fail2ban/fail2ban.local
-[Definition]
-logtarget = /var/log/fail2ban/fail2ban.log
-EOF
-
-###########################################################################################
-# Remarks: Logrotate must be updated either                                               #
-###########################################################################################
-cp -a /etc/logrotate.d/fail2ban /root/.ciss/dlb/backup/fail2ban_logrotate.bak
-sed -i 's/\/var\/log\/fail2ban.log/\/var\/log\/fail2ban\/fail2ban.log/1' /etc/logrotate.d/fail2ban
-touch /var/log/fail2ban/fail2ban.log
-chmod 640 /var/log/fail2ban/fail2ban.log
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9950_hardening_fail2ban.chroot
+++ b/config/hooks/live/9950_hardening_fail2ban.chroot
@@ -0,0 +1,241 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+cd /root
+
+cp -u /etc/fail2ban/fail2ban.conf /root/.ciss/cdlb/backup/fail2ban.conf.bak
+chmod 0400 /root/.ciss/cdlb/backup/fail2ban.conf.bak
+
+### https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024305
+sed -i 's/#allowipv6 = auto/allowipv6 = auto/1' /etc/fail2ban/fail2ban.conf
+
+mv /etc/fail2ban/jail.d/defaults-debian.conf /root/.ciss/cdlb/backup/defaults-debian.conf.bak
+chmod 0400 /root/.ciss/cdlb/backup/defaults-debian.conf.bak
+
+cat << EOF >| /etc/fail2ban/jail.d/ciss-default.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[DEFAULT]
+banaction             = nftables-multiport
+banaction_allports    = nftables-allports
+dbpurgeage            = 384d
+#                       127.0.0.1/8 - IPv4 loopback range (local host)
+#                       ::1/128     - IPv6 loopback
+#                       fe80::/10   - IPv6 link-local (on-link only; NDP/RA/DAD)
+#                       ff00::/8    - IPv6 multicast (not an unicast host)
+#                       ::/128      - IPv6 unspecified (all zeros; never a real peer)
+ignoreip              = 127.0.0.1/8 ::1/128 fe80::/10 ff00::/8 ::/128 IGNORE_IP_MUST_BE_SET
+usedns                = yes
+
+[recidive]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 8d
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 128d
+bantime.multipliers   = 1 2 4 8 16
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = recidive
+findtime              = 16d
+logpath               = /var/log/fail2ban/fail2ban.log*
+maxretry              = 2
+
+### SSH Handling:     Foreign IP (not in /etc/hosts.allow): refused to connect: immediate ban [sshd-refused]
+###                   Jump host mistyped 1-3 times: no ban, only after four attempts          [sshd]
+
+[sshd]
+enabled               = true
+backend               = systemd
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = sshd
+findtime              = 16m
+maxretry              = 4
+mode                  = aggressive
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+[sshd-refused]
+enabled               = true
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-sshd-refused
+findtime              = 16m
+logpath               = /var/log/auth.log
+maxretry              = 1
+port                  = PORT_MUST_BE_SET
+protocol              = tcp
+
+#
+# CISS aggressive approach:
+# Any valid client communicating with our server should be going directly to the service ports opened in ufw (ssh, 80, ...).
+# Any client touching other ports is treated as malicious and therefore should be blocked access to ALL ports after 1 attempt.
+#
+
+[ufw]
+enabled               = true
+banaction             = nftables[type=custom, family=inet, table=f2b-table, chain=f2b-chain, blocktype=drop]
+bantime               = 1h
+bantime.increment     = true
+bantime.factor        = 1
+bantime.maxtime       = 16d
+bantime.multipliers   = 1 2 4 8 16 32 64 128 256 384
+bantime.overalljails  = true
+bantime.rndtime       = 877s
+filter                = ciss-ufw
+findtime              = 16m
+logpath               = /var/log/ufw.log
+maxretry              = 1
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << EOF >| /etc/fail2ban/filter.d/ciss-ufw.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+# Match UFW BLOCK/REJECT with a source IP and *any* port field (SPT or DPT), protocol may be missing.
+failregex             = ^.*UFW (?:BLOCK|REJECT).*?\bSRC=<HOST>\b.*?(?:\bDPT=\d+\b|\bSPT=\d+\b).*$
+ignoreregex           =
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+cat << 'EOF' >| /etc/fail2ban/filter.d/ciss-sshd-refused.conf
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-18; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+[Definition]
+failregex = ^refused connect from \S+ \(<HOST>\)
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+###########################################################################################
+# Remarks: hardening of fail2ban systemd                                                  #
+###########################################################################################
+# https://wiki.archlinux.org/title/fail2ban#Service_hardening                             #
+# The CapabilityBoundingSet parameters CAP_DAC_READ_SEARCH will allow Fail2ban full read  #
+# access to every directory and file. CAP_NET_ADMIN and CAP_NET_RAW allow Fail2ban to     #
+# operate # on any firewall that has a command-line shell interface. By using             #
+# ProtectSystem=strict the filesystem hierarchy will only be read-only; ReadWritePaths    #
+# allows Fail2ban to have write access on required paths.                                 #
+###########################################################################################
+mkdir -p /etc/systemd/system/fail2ban.service.d
+mkdir -p /var/log/fail2ban
+
+cat << 'EOF' >| /etc/systemd/system/fail2ban.service.d/override.conf
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
+
+### Added by CISS.debian.live.builder
+ProtectClock=true
+ProtectHostname=true
+
+EOF
+
+cat << 'EOF' >> /etc/fail2ban/fail2ban.local
+[Definition]
+logtarget             = /var/log/fail2ban/fail2ban.log
+
+[Database]
+# Keep entries for at least 384 days to cover recidive findtime.
+dbpurgeage            = 384d
+EOF
+
+###########################################################################################
+# Remarks: Logrotate must be updated either                                               #
+###########################################################################################
+cp -a /etc/logrotate.d/fail2ban /root/.ciss/cdlb/backup/fail2ban_logrotate.bak
+cat << EOF >| /etc/logrotate.d/fail2ban
+/var/log/fail2ban/fail2ban.log {
+    daily
+    rotate 384
+    maxage 384
+    notifempty
+    dateext
+    dateyesterday
+    compress
+    compresscmd /usr/bin/zstd
+    compressext .zst
+    compressoptions -20
+    uncompresscmd /usr/bin/unzstd
+    delaycompress
+    shred
+    missingok
+    postrotate
+        fail2ban-client flushlogs 1>/dev/null
+    endscript
+    # If fail2ban runs as non-root it still needs to have write access
+    # to logfiles.
+    # create 640 fail2ban adm
+    create 640 root adm
+}
+EOF
+
+touch /var/log/fail2ban/fail2ban.log
+chmod 0640 /var/log/fail2ban/fail2ban.log
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9970_remove_exim.chroot
+++ b/config/hooks/live/9970_remove_exim.chroot
@@ -13,16 +13,19 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
 cd /etc

-apt-get purge exim4 exim4-base exim4-config  -y
+apt-get purge exim4 exim4-base exim4-config -y
 apt-get autoremove -y
 apt-get autoclean -y
 apt-get autopurge -y

 apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config

-apt-get update
+apt-get update -qq
 apt-get upgrade -y

 if [[ -d /etc/exim4 ]]; then
--- a/config/hooks/live/9980_usb_guard.chroot
+++ b/config/hooks/live/9980_usb_guard.chroot
@@ -13,7 +13,8 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y usbguard

 ### Preparing USBGuard: see https://www.privacy-handbuch.de/handbuch_91a.htm
@@ -22,7 +23,7 @@ usbguard generate-policy >> /tmp/rules.conf

 if [[ -f /etc/usbguard/rules.conf && -s /etc/usbguard/rules.conf ]]; then

-  mv /etc/usbguard/rules.conf /root/.ciss/dlb/backup/usbguard_rules.conf.bak
+  mv /etc/usbguard/rules.conf /root/.ciss/cdlb/backup/usbguard_rules.conf.bak
  cp -a /tmp/rules.conf /etc/usbguard/rules.conf
  chmod 0600 /etc/usbguard/rules.conf

@@ -34,7 +35,7 @@ else

 fi

-cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/dlb/backup/usbguard-daemon.conf.bak
+cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon.conf.bak
 #sed -i "s/PresentDevicePolicy=apply-policy/PresentDevicePolicy=allow/" /etc/usbguard/usbguard-daemon.conf

 rm -f /tmp/rules.conf
--- a/config/hooks/live/9990_final_purge.chroot
+++ b/config/hooks/live/9990_final_purge.chroot
@@ -13,13 +13,15 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"

 apt-get update -qq

-apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+apt-get purge -y exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail

-apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config qemu-guest-agent rmail
+apt-mark hold exim4 exim4-daemon-light exim4-base exim4-config postfix-mta-sts-resolver postfix qemu-guest-agent rmail

 dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true

--- a/config/hooks/live/9991_file_permissions.chroot
+++ b/config/hooks/live/9991_file_permissions.chroot
@@ -18,8 +18,8 @@ chmod 0644 /etc/issue
 chmod 0644 /etc/issue.net

 if [[ -f /etc/motd ]]; then
-  cp -a /etc/motd /root/.ciss/dlb/backup/motd.bak
-  chmod 0644 /root/.ciss/dlb/backup/motd.bak
+  cp -a /etc/motd /root/.ciss/cdlb/backup/motd.bak
+  chmod 0644 /root/.ciss/cdlb/backup/motd.bak
  rm /etc/motd
 fi

@@ -36,7 +36,7 @@ cat << EOF >| /etc/motd

 EOF

-cp -a /etc/login.defs /root/.ciss/dlb/backup/login.defs.bak
+cp -a /etc/login.defs /root/.ciss/cdlb/backup/login.defs.bak

 sed -ri 's/^(#?LOGIN_TIMEOUT)[[:space:]]+[0-9]+/\1 180/' /etc/login.defs
 sed -i 's/UMASK		022/UMASK		077/' /etc/login.defs
--- a/config/hooks/live/9992_password_expiration.chroot
+++ b/config/hooks/live/9992_password_expiration.chroot
@@ -10,6 +10,87 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
+#######################################
+# Iterates all '/etc/shadow' entries and sets:
+#   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
+#   Safe: creates a timestamped backup and (if available) locks '/etc/.pwd.lock'.
+# Globals:
+#   RECOVERY
+#   TARGET
+#   VAR_RUN_RECOVERY
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+update_shadow() {
+  ### Declare Arrays, HashMaps, and Variables.
+
+  declare -r  var_shadow="/etc/shadow"
+  declare -r  var_backup="/root/.ciss/cdlb/backup/etc/shadow.$(date +%s).bak"
+  declare -r  var_temp="${var_shadow}.new.$$"
+  declare -r  var_exp_dt="17.09.2102"
+  declare     var_exp_ds=""
+
+  mkdir -p "/root/.ciss/cdlb/backup/etc"
+
+  var_exp_ds="$(
+    awk -v d="${var_exp_dt}" 'BEGIN{
+      # Force UTC to avoid DST/timezone off-by-one errors
+      ENVIRON["TZ"]="UTC";
+      if (match(d, /^([0-9]{2})\.([0-9]{2})\.([0-9]{4})$/, a)) {
+        dd=a[1]+0; mm=a[2]+0; yyyy=a[3]+0;
+        sec = mktime(sprintf("%04d %02d %02d 00 00 00 0", yyyy, mm, dd));
+        if (sec < 0) { print "ERR"; exit 1 }
+        print int(sec/86400);
+        exit 0
+      } else { print "ERR"; exit 1 }
+    }'
+  )" || return 42
+
+  # shellcheck disable=SC2249
+  case "${var_exp_ds}" in
+
+    ''|*ERR*)
+      return 127
+      ;;
+
+  esac
+
+  umask 0077
+  cp --preserve=mode,ownership "${var_shadow}" "${var_backup}"
+
+  ### Rewrite fields 4..8 for every line
+  ### Preserve fields 1..3 and 9, keep password hashes untouched.
+  ### Pad to 9 fields if shorter; keep empty lines intact (rare but safe).
+  awk -v FS=":" -v OFS=":" -v v_exp="${var_exp_ds}" '
+    NF==0 { print; next }                      # preserve blank lines verbatim
+    {
+      # pad missing trailing fields to 9
+      for (i=NF+1; i<=9; i++) $i="";
+      $4=0; $5=16384; $6=128; $7=42; $8=v_exp; # set required fields
+      print
+    }
+  ' "${var_backup}" >| "${var_temp}"
+
+  ### Defensive: ensure non-empty output.
+  if [[ ! -s "${var_temp}" ]]; then
+    rm -f "${var_temp}"
+    return 42
+  fi
+
+  ### Preserve owner/mode (fallback to 0640 root:shadow if reference fails).
+  chown --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chown root:shadow "${var_temp}" 2>/dev/null || true
+  chmod --reference="${var_shadow}" "${var_temp}" 2>/dev/null || chmod 0640 "${var_temp}" 2>/dev/null || true
+
+  ### Atomic replace.
+  mv -f "${var_temp}" "${var_shadow}"
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f update_shadow

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

@@ -49,6 +130,8 @@ awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow

 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"

+update_shadow
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/hooks/live/9993_aide.chroot
+++ b/config/hooks/live/9993_aide.chroot
@@ -13,10 +13,11 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y aide > /dev/null 2>&1

-cp -u /etc/aide/aide.conf /root/.ciss/dlb/backup/aide.conf.bak
+cp -u /etc/aide/aide.conf /root/.ciss/cdlb/backup/aide.conf.bak
 sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf

 if aideinit > /dev/null 2>&1; then
--- a/config/hooks/live/9994_password_policy.chroot
+++ b/config/hooks/live/9994_password_policy.chroot
@@ -20,8 +20,8 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"

-cp -a /etc/security/pwquality.conf /root/.ciss/dlb/backup/pwquality.conf.bak
-chmod 0644 /root/.ciss/dlb/backup/pwquality.conf.bak
+cp -a /etc/security/pwquality.conf /root/.ciss/cdlb/backup/pwquality.conf.bak
+chmod 0644 /root/.ciss/cdlb/backup/pwquality.conf.bak

 cat << EOF >| /etc/security/pwquality.conf
 # SPDX-Version: 3.0
--- a/config/hooks/live/9996_auditd.chroot
+++ b/config/hooks/live/9996_auditd.chroot
@@ -25,30 +25,48 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "

 cd /root

-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y auditd

-cp -u /etc/audit/audit.rules /root/.ciss/dlb/backup/audit.rules.bak
-cp -u /etc/audit/auditd.conf /root/.ciss/dlb/backup/auditd.conf.bak
-cp -u /etc/audit/rules.d/audit.rules /root/.ciss/dlb/backup/rules_d_audit.rules.bak
+cp -u /etc/audit/audit.rules /root/.ciss/cdlb/backup/audit.rules.bak
+cp -u /etc/audit/auditd.conf /root/.ciss/cdlb/backup/auditd.conf.bak
+cp -u /etc/audit/rules.d/audit.rules /root/.ciss/cdlb/backup/rules_d_audit.rules.bak
 rm -rf /etc/audit/rules.d/audit.rules

-############################################################### /etc/audit/rules.d/10-base-config.rules
-cat << EOF >| /etc/audit/rules.d/10-base-config.rules
+############################################################### /etc/audit/rules.d/00-base-config.rules
+cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## First rule - delete all
 -D

 ## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
-b 8192
+## Make this bigger for busy systems.
+-b 16384

-## This determine how long to wait in burst of events
--backlog_wait_time 60000
+## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
+-r 200

-## Set failure mode to syslog
+## This determine how long to wait in burst of events. How long to wait in bursts (us).
+--backlog_wait_time 1024
+
+## Set failure mode to syslog.
 -f 1
 EOF

+############################################################### /etc/audit/rules.d/10-ciss-noise-floor.rules
+cat << EOF >| /etc/audit/rules.d/10-ciss-noise-floor.rules
+## Ignore kernel/daemon noise without a loginuid (unset = 4294967295).
+-a never,exit -F auid=4294967295
+
+## Make privileged exec tracing user-initiated only (no boot-time daemons).
+-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -k exec_root
+
+## (Optional, same principle for suid/sgid transitions).
+-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid>=1000 -F auid!=-1 -k exec_suid_sgid
+EOF
+
 ############################################################### /etc/audit/rules.d/11-loginuid.rules
 cat << EOF >| /etc/audit/rules.d/11-loginuid.rules
 --loginuid-immutable
@@ -91,6 +109,17 @@ cat << EOF >| /etc/audit/rules.d/22-ignore-chrony.rules
 -a never,exit -F arch=b32 -S adjtimex -F auid=unset -F uid=_chrony
 EOF

+############################################################### /etc/audit/rules.d/25-ciss-exec.rules
+cat << EOF >| /etc/audit/rules.d/25-ciss-exec.rules
+## Focus on privileged exec, not every user command
+-a always,exit -F arch=b64 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b32 -S execve -F euid=0 -k exec_root
+-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b32 -S execve -F exe=/usr/bin/sudo -k exec_sudo
+-a always,exit -F arch=b64 -S execve -C uid!=euid -k exec_suid_sgid
+-a always,exit -F arch=b32 -S execve -C uid!=euid -k exec_suid_sgid
+EOF
+
 ############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 ## Unsuccessful file creation (open with O_CREAT)
@@ -108,17 +137,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
 EOF

-############################################################### /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 ## Unsuccessful file modifications (open for write or truncate)
@@ -136,17 +154,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
 -a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
 EOF

-############################################################### /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 ## Unsuccessful file access (any other opens) This has to go last.
@@ -156,14 +163,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
 -a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
 EOF

-############################################################### /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 ## Unsuccessful file delete
@@ -173,13 +172,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
 -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
 EOF

-############################################################### /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 ## Unsuccessful permission change
@@ -189,13 +181,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
 -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
 EOF

-############################################################### /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 ## Unsuccessful ownership change
@@ -205,13 +190,6 @@ cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
 -a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
 EOF

-############################################################### /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-cat << EOF >| /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-EOF
-
 ############################################################### /etc/audit/rules.d/30-ospp-v42.rules
 cat << EOF >| /etc/audit/rules.d/30-ospp-v42.rules
 ## The purpose of these rules is to meet the requirements for Operating
--- a/config/hooks/live/9997_debsums.chroot
+++ b/config/hooks/live/9997_debsums.chroot
@@ -15,11 +15,12 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "

 cd /root

-export DEBIAN_FRONTEND="noninteractive"
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 apt-get install -y --no-install-recommends debsums

-cp -a /etc/default/debsums /root/.ciss/dlb/backup/debsums.bak
-chmod 0644 /root/.ciss/dlb/backup/debsums.bak
+cp -a /etc/default/debsums /root/.ciss/cdlb/backup/debsums.bak
+chmod 0644 /root/.ciss/cdlb/backup/debsums.bak
 sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums

 if debsums -g > /dev/null 2>&1; then
--- a/config/hooks/live/9998_sources_list_bookworm.chroot
+++ b/config/hooks/live/9998_sources_list_bookworm.chroot
@@ -1,61 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-set -Ceuo pipefail
-
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-# shellcheck disable=SC2155
-declare -r VAR_DATE="$(date +%F)"
-
-cd /root
-
-if [[ -f /etc/apt/sources.list ]]; then
-  mv /etc/apt/sources.list /root/.ciss/dlb/backup/sources.list.bak
-fi
-
-cat << 'EOF' >| /etc/apt/sources.list
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-#-----------------------------------------------------------------------------------------#
-#                                  OFFICIAL DEBIAN REPOS
-#-----------------------------------------------------------------------------------------#
-
-### Debian Main Repos Bookworm
-
-deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
-
-deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
-
-deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
-deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
-EOF
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
-# sleep 1
-
-exit 0
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9998_sources_list_trixie.chroot
+++ b/config/hooks/live/9998_sources_list_trixie.chroot
@@ -13,6 +13,9 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"

@@ -121,6 +124,11 @@ Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 EOF
 fi

+apt-get update -qq
+apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacements/removals.
+apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
+apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
--- a/config/hooks/live/9999_interfaces_update.chroot
+++ b/config/hooks/live/9999_interfaces_update.chroot
@@ -16,7 +16,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"

-mv /etc/network/interfaces /root/.ciss/dlb/backup/interfaces.chroot
+mv /etc/network/interfaces /root/.ciss/cdlb/backup/interfaces.chroot
 rm -f /etc/network/interfaces

 cat << EOF >| /etc/network/interfaces
--- a/config/hooks/live/9999_yyyy_logrotate.chroot
+++ b/config/hooks/live/9999_yyyy_logrotate.chroot
@@ -0,0 +1,66 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+### Declare Arrays, HashMaps, and Variables.
+declare -ar ary_logrotate=(
+  "alternatives"
+  "apt"
+  "btmp"
+  "chrony"
+  "clamav-daemon"
+  "clamav-freshclam"
+  "dpkg"
+  "fail2ban"
+  "rkhunter"
+  "rsnapshot"
+  "rsyslog"
+  "ufw"
+  "unattended-upgrades"
+  "usbguard"
+  "wtmp"
+)
+
+declare     var_file="" var_log=""
+[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
+export DEBIAN_FRONTEND="noninteractive" INITRD="No"
+
+for var_log in "${ary_logrotate[@]}"; do
+
+  var_file="/etc/logrotate.d/${var_log}"
+
+  [[ -e "${var_file}" ]] || continue
+
+  ### Replace leading 'monthly'/'weekly' directives with 'daily', preserving indentation and trailing comments.
+  sed -E -i \
+    -e 's/^([[:space:]]*)(monthly|weekly)([[:space:]]*)(#.*)?$/\1daily\3\4/' \
+    -e 's/^([[:space:]]*)rotate([[:space:]]+[0-9]+)?([[:space:]]*)(#.*)?$/\1rotate 90\3\4/' \
+    "${var_file}"
+
+done
+
+if ! logrotate -d /etc/logrotate.conf; then
+
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
+
+else
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
+
+fi
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/9999_zzzz.chroot
+++ b/config/hooks/live/9999_zzzz.chroot
@@ -0,0 +1,94 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
+
+### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------
+rm -f  /root/ciss_xdg_tmp.sh
+rm -fr /root/build
+find / -xdev \( -path /proc -o -path /sys -o -path /dev -o -path /run \) -prune -o -type f -name '.keep' -exec rm -f -- {} +
+
+### Securing '/.ciss' ----------------------------------------------------------------------------------------------------------
+find /.ciss -type d -exec chmod 0700 {} +
+find /.ciss -type f -exec chmod 0440 {} +
+
+### Securing '/etc/ciss/keys' --------------------------------------------------------------------------------------------------
+find /etc/ciss/keys -type f -exec chmod 0440 {} +
+
+### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------
+update-initramfs -u -k all -v
+
+### Determine the canonical systemd unit dir inside chroot ---------------------------------------------------------------------
+if [[ -d /lib/systemd/system ]]; then
+
+  var_unit_dir=/lib/systemd/system
+
+elif [[ -d /usr/lib/systemd/system ]]; then
+
+  var_unit_dir=/usr/lib/systemd/system
+
+fi
+
+### Enforce 'default.target' -> 'multi-user.target' as a symlink.
+if [[ -e "${var_link}" ]] && [[ ! -L "${var_link}" ]]; then
+
+  ### A regular file here is wrong; we remove it to avoid vendor fallback to graphical.
+  rm -f -- "${var_link}"
+
+fi
+
+if [[ ! -L "${var_link}" ]]; then
+
+  ln -s "${var_unit_dir}/multi-user.target" "${var_link}"
+
+else
+
+  ### Ensure it points to multi-user.
+  # shellcheck disable=SC2312
+  if [[ "$(readlink -f "${var_link}")" != "${var_unit_dir}/multi-user.target" ]]; then
+
+    rm -f -- "${var_link}"
+    ln -s "${var_unit_dir}/multi-user.target" "${var_link}"
+
+  fi
+
+fi
+
+### Hard-block any display manager (mask via /dev/null symlink). Include common DMs, and the generic alias:
+ary_dm_units=(
+  "display-manager.service"
+  "gdm.service"
+  "gdm3.service"
+  "sddm.service"
+  "lightdm.service"
+  "xdm.service"
+  "lxdm.service"
+  "slim.service"
+)
+
+for var_dm in "${ary_dm_units[@]}"; do
+
+  if [[ ! -L "/etc/systemd/system/${var_dm}" ]]; then
+
+    ln -s /dev/null "/etc/systemd/system/${var_dm}"
+
+  fi
+
+done
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
+++ b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
@@ -0,0 +1,133 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+__umask=$(umask)
+umask 0077
+
+#######################################
+# Pre allocates space for LUKS container.
+# Globals:
+#   None
+# Arguments:
+#   1: LUKS Container
+#   2: LUKS Container Size
+# Returns:
+#   0: on success
+#   42: on failure
+#######################################
+preallocate() {
+  declare file="$1" size="$2"
+  declare -i blocksize=$((8*1024*1024))
+  declare -i blockcounter=$(( (size + blocksize - 1) / blocksize ))
+
+  if fallocate -l "${size}" -- "${file}" 2>/dev/null; then
+
+    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
+    return 0
+
+  else
+
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
+
+  fi
+
+  if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then
+
+    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    return 0
+
+  else
+
+    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    return 42
+
+  fi
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f preallocate
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
+declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
+declare KEYFD=""
+
+# shellcheck disable=SC2155
+declare -i SIZE=$(stat -c%s -- "${ROOTFS}")
+
+### Safety margin:
+#   - LUKS2-Header and Metadata
+#   - dm-integrity Overhead (Tags and Journal)
+#   - Filesystem-Slack
+declare -i OVERHEAD_FIXED=$((64 * 1024 * 1024))
+declare -i OVERHEAD_PCT=3
+declare -i ALIGN_BYTES=$(( 2048 * 1024 ))
+declare -i BASE_SIZE=$(( SIZE + OVERHEAD_FIXED + (SIZE * OVERHEAD_PCT / 100) ))
+declare -i LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) * ALIGN_BYTES ))
+
+preallocate "${LUKSFS}" "${LUKSFS_SIZE}"
+
+exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
+
+cryptsetup luksFormat \
+  --batch-mode \
+  --cipher aes-xts-plain64 \
+  --integrity hmac-sha512 \
+  --iter-time 1000 \
+  --key-file "/proc/$$/fd/${KEYFD}" \
+  --key-size 512 \
+  --label crypt_liveiso \
+  --luks2-keyslots-size 16777216 \
+  --luks2-metadata-size 4194304 \
+  --pbkdf argon2id \
+  --sector-size 4096 \
+  --type luks2 \
+  --use-random \
+  --verbose \
+  "${LUKSFS}"
+
+cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso
+
+# shellcheck disable=SC2155
+declare -i LUKS_FREE=$(blockdev --getsize64 /dev/mapper/crypt_liveiso)
+declare -i SQUASH_FS="${SIZE}"
+
+if (( LUKS_FREE >= SQUASH_FS )); then
+
+  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+
+else
+
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  exit 42
+
+fi
+
+dd if="${ROOTFS}" of=/dev/mapper/crypt_liveiso bs=8M status=progress conv=fsync
+sync
+cryptsetup close crypt_liveiso
+
+exec {KEYFD}<&-
+
+shred -fzu -n 5 -- "${VAR_TMP_SECRET}/luks.txt"
+
+#rm -f -- "${ROOTFS}"
+
+umask "${__umask}"
+__umask=""
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/hooks/normal/.keep
+++ b/config/hooks/normal/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/.ciss/.keep
+++ b/config/includes.chroot/.ciss/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/.ciss/attestation/.keep
+++ b/config/includes.chroot/.ciss/attestation/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/ciss/.keep
+++ b/config/includes.chroot/etc/ciss/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/ciss/keys/0x8733B021_public.asc
+++ b/config/includes.chroot/etc/ciss/keys/0x8733B021_public.asc
@@ -0,0 +1,18 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEaDcItBYJKwYBBAHaRw8BAQdAFyGLpFASTiK4vBgycV2wjb3ZaNqhjZ33E1ir
+MiU98Fu0LE1hcmMgUy4gV2VpZG5lciBCT1QgPG1zdytib3RAY29yZXNlY3JldC5k
+ZXY+iJkEExYIAEEWIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaDcItAIbAwUJCKVq
+fAULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRA85KY4hzOwIVOoAQD9WXoh
+Isjs4q7RCAtCXXWO4y4p8Dmn1AjCRN07vBYskQEAu/LjJYpjC553SnLPEN2PjZBt
+pNkwp/fMg2oigxRkygyI1AUQFggAVCIhBW/TwxZOreRiASSn6MzNd4l1ywe1QKfL
+3kbW7jRInWnCBQJoNwjMBYMIpYaAJBSAAAAAAA0ADnJlbUBnbnVwZy5vcmdDZW50
+dXJpb24sQ0lDQQAA3TABxjNpYGUWhvt6x3h688F1KJfeWrrMetflFZBA3UzoIAAg
+SltgMYRnCzpZFGnQILKgj9jyakwckxFLAAHHY/I0Fxmc5ujfkGScUhUKPhruVT2x
+w4aHogEuE9Ebu94JuvBQX3+RlHjG+47qG7bmAT81E47Hih0AuDgEaDcItBIKKwYB
+BAGXVQEFAQEHQOKAnInWn3Wy1fUJJD7bycrXEx6SoLejW5/0jGIG2VdGAwEIB4h+
+BBgWCAAmFiEEqmJzzDShs+vWn8hwPOSmOIczsCEFAmg3CLQCGwwFCQilanwACgkQ
+POSmOIczsCHztAEA2AWCPQ8V8hNdEBvYHwRye8Q9FJO7IyciwwpjH1nOBLMBAJS2
+OSrjMYBFaumow950s7T2d7BEpnxJBtCwfuF+RwgI
+=QwhF
+-----END PGP PUBLIC KEY BLOCK-----
--- a/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg
+++ b/config/includes.chroot/etc/ciss/keys/0x8733B021_public.gpg
--- a/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.asc
+++ b/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.asc
@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mDMEaCxYpRYJKwYBBAHaRw8BAQdAr9mRwJ44x3qirCRbE+qjgwBDzZLVkKXvC4UI
+AHxvyMK0JE1hcmMgUy4gV2VpZG5lciA8bXN3QGNvcmVzZWNyZXQuZGV2PoiZBBMW
+CABBFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgFAmgsWKUCGwMFCQiwGosFCwkIBwIC
+IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQhAKZkeYuhPhWnQEAulGegHfBva0ezN5/
+VVqLqDVTe+etr3crCcxKpj8gg7wA/3OfkCvgPht18OoIQbR1IA7jDBSOKvY8OfcR
+1632dZIIuDgEaCxYpRIKKwYBBAGXVQEFAQEHQP34OGSMdCMM8Ku/QY7NC81xbL0h
+kOFdDGlKlA865+kpAwEIB4h+BBgWCAAmFiEEh/wgoINpSv+4MwEbhAKZkeYuhPgF
+AmgsWKUCGwwFCQiwGosACgkQhAKZkeYuhPhnjgD+IHh9XhE+s3VB3ItDIgtT9gTA
+S8ET80dQcFmFGYfjs/oBALmXXxceE+aSd2VO6dumqhtzWCGE7S52/50hxRgLsi8G
+=C3ox
+-----END PGP PUBLIC KEY BLOCK-----
--- a/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg
+++ b/config/includes.chroot/etc/ciss/keys/0xE62E84F8_public.gpg
--- a/config/includes.chroot/etc/initramfs-tools/.keep
+++ b/config/includes.chroot/etc/initramfs-tools/.keep
@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
@@ -0,0 +1,497 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command.
+# shellcheck disable=SC2034
+
+set -Ceu -o pipefail -o ignoreeof
+shopt -s failglob
+shopt -s lastpipe
+shopt -u nullglob
+umask 0077
+declare -g PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
+
+### Will be replaced at build time:
+declare -gr CDLB_DB_EXP_FPR="@EXP_FPR@"
+declare -gr CDLB_DB_EXP_CA_FPR="@EXP_CA_FPR@"
+
+#######################################
+# Variable declaration
+#######################################
+# shellcheck disable=SC2016
+declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$'
+# shellcheck disable=SC2155
+declare -r CURRENTDATE=$(date +"%F %T")
+declare -g ERRTRAP='false'
+declare -r GRE='\e[0;92m'
+declare -r MAG='\e[0;95m'
+declare -r RED='\e[0;91m'
+declare -r RES='\e[0m'
+declare -r NL='\n'
+declare -g NUKE_ENABLED='false'
+declare -g NUKE_HASH=''
+declare -g PASSPHRASE=''
+
+#######################################
+# Read passphrase strictly from STDIN (SSH channel), not '/dev/console'.
+# Arguments:
+#   1: Prompt to print on terminal
+#   2: Variable name to capture passphrase
+#######################################
+ask_via_stdin() {
+  declare -r  prompt="$1"
+  declare -r  varname="$2"
+  ### Prompt to STDERR so pipes don't capture it.
+  printf "%s" "${prompt}" >&2
+  ### Silent, canonical read from FD 0 (SSH channel when forced-command).
+  IFS= read -r -s "${varname?}" <&0
+  printf "\n" >&2
+  return 0
+}
+
+#######################################
+# Printed text in color.
+# Arguments:
+#   1: Color code.
+#   *: Text to print.
+#######################################
+color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; }
+
+#######################################
+# Die Helper: print and then exit hard.
+# Globals:
+#   NC
+#   RED
+# Arguments:
+#   1: Message string to print.
+#######################################
+die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
+
+#######################################
+# Drop into the bash environment.
+# Arguments:
+#   None
+#######################################
+drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; }
+
+#######################################
+# Extract the 'nuke=' parameter from '/proc/cmdline'.
+# Globals:
+#   GRE
+#   NUKE_ENABLED
+#   NUKE_HASH
+#   RED
+#   REGEX
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+extract_nuke_hash() {
+  declare     ARG="" CMDLINE=""
+
+  ### Read '/proc/cmdline' into a single line safely.
+  read -r CMDLINE < /proc/cmdline
+
+  for ARG in ${CMDLINE}; do
+
+    # shellcheck disable=SC2249
+    case "${ARG,,}" in
+
+      nuke=*)
+        NUKE_HASH="${ARG#*=}"
+        if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
+
+          declare -g NUKE_ENABLED="true"
+          color_echo "${GRE}" "✅ System self check: [ok]"
+          return 0
+
+        else
+
+          ### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
+          color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]."
+          color_echo "${RED}" "✘ Dropping to bash ...:"
+          drop_bash
+
+        fi
+      ;;
+
+    esac
+
+  done
+
+  color_echo "${GRE}" "✅ No Nuke Hash found."
+
+  return 0
+}
+
+#######################################
+# Gather information of all LUKS Devices available on the system.
+# Arguments:
+#   None
+#######################################
+gather_luks_devices() {
+  declare     prev=() curr=()
+  declare -i  tries=0
+
+  while ((tries < 10)); do
+
+    # shellcheck disable=SC2312
+    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
+
+    if [[ "${curr[*]}" == "${prev[*]}" ]]; then
+      break
+    fi
+
+    prev=("${curr[@]}")
+    tries=$((tries + 1))
+    sleep 1
+
+  done
+
+  printf '%s\n' "${curr[@]}"
+
+  return 0
+}
+
+#######################################
+# Erase the LUKS headers on all LUKS devices, then shut down the system.
+# Globals:
+#   DEVICES_LUKS
+#   RED
+# Arguments:
+#   None
+#######################################
+nuke() {
+  declare     dev=""
+
+  for dev in "${DEVICES_LUKS[@]}"; do
+
+    cryptsetup erase --batch-mode "${dev}" || true
+    color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
+
+  done
+
+  secure_unset_pass
+
+  color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
+
+  power_off 16
+}
+
+#######################################
+# Unified power-off routine.
+# Arguments:
+#   1: Sleep time before power-off in seconds (Default to 0 seconds).
+#######################################
+power_off() {
+  declare -r  wait="${1:-0}"
+  sleep "${wait}"
+  sync
+  echo 1 >| /proc/sys/kernel/sysrq
+  echo o >| /proc/sysrq-trigger
+  ### The System powers off immediately; no further code is executed.
+}
+
+#######################################
+# Print Error Message for Trap on 'ERR' on Terminal.
+# Globals:
+#   NL
+#   RED
+# Arguments:
+#   1: ${?}
+#   2: ${BASH_SOURCE[0]}
+#   3: ${LINENO}
+#   4: ${FUNCNAME[0]:-main}
+#   5: ${BASH_COMMAND}
+#######################################
+print_scr_err() {
+  declare -r  scr_err_errcode="$1"
+  declare -r  scr_err_errscrt="$2"
+  declare -r  scr_err_errline="$3"
+  declare -r  scr_err_errfunc="$4"
+  declare -r  scr_err_errcmmd="$5"
+
+  printf "%b" "${NL}" >&2
+
+  color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2
+  printf "%b" "${NL}" >&2
+  color_echo "${RED}" "✘ Error               : [${scr_err_errcode}]" >&2
+  color_echo "${RED}" "✘ Line                : [${scr_err_errline}]" >&2
+  color_echo "${RED}" "✘ Script              : [${scr_err_errscrt}]" >&2
+  color_echo "${RED}" "✘ Function            : [${scr_err_errfunc}]" >&2
+  color_echo "${RED}" "✘ Command             : [${scr_err_errcmmd}]" >&2
+  printf "%b" "${NL}" >&2
+
+  return 0
+}
+
+#######################################
+# Print Error Message for '0'-Exit-Code on Terminal.
+# Globals:
+#   GRE
+# Arguments:
+#   None
+#######################################
+print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; sleep 3; }
+
+#######################################
+# Generates an informative shell prompt.
+# Globals:
+#   PS1
+# Arguments:
+#   None
+#######################################
+prompt_string() {
+  declare -gx PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+  # Show exit status in green if zero
+  echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+else \
+  # Show exit status in red otherwise
+  echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+fi)\
+|~\$ "
+}
+
+#######################################
+# Read the passphrase interactively.
+# Globals:
+#   NUKE_ENABLED
+#   NUKE_HASH
+#   PASSPHRASE
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+read_passphrase() {
+  declare -i  ROUNDS=0
+  declare     CAND="" SALT=""
+
+  ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
+  ask_via_stdin "Enter passphrase: " PASSPHRASE
+
+  ### NUKE pre-check.
+  if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
+
+    ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
+    ROUNDS="${ROUNDS#rounds=}"
+    SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
+    CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
+
+    ### NUKE final check.
+    if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
+
+      nuke
+
+    fi
+
+  fi
+
+  return 0
+}
+
+#######################################
+# Securely unset the 'PASSPHRASE'-variable.
+# Globals:
+#   PASSPHRASE
+# Arguments:
+#   None
+#######################################
+secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; }
+
+#######################################
+# Trap function to be called on 'ERR'.
+# Arguments:
+#   1: ${?}
+#   2: ${BASH_SOURCE[0]}
+#   3: ${LINENO}
+#   4: ${FUNCNAME[0]:-main}
+#   5: ${BASH_COMMAND}
+#######################################
+trap_on_err() {
+  declare -r  errcode="$1"
+  declare -r  errscrt="$2"
+  declare -r  errline="$3"
+  declare -r  errfunc="$4"
+  declare -r  errcmmd="$5"
+  declare -g  ERRTRAP='true'
+
+  trap - ERR INT TERM
+  stty echo 2>/dev/null || true
+  print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
+  power_off 16
+}
+
+#######################################
+# Security Trap on 'EXIT'.
+# Globals:
+#   ERRTRAP
+# Arguments:
+#   None
+#######################################
+trap_on_exit() {
+  trap - ERR EXIT INT TERM
+  [[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc
+}
+
+#######################################
+# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
+# Globals:
+#   NL
+#   RED
+# Arguments:
+#   None
+#######################################
+trap_on_term() {
+  trap - ERR INT TERM
+  stty echo 2>/dev/null || true
+  printf "%b" "${NL}"
+  color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds."
+  power_off 3
+}
+
+#######################################
+# Check the integrity and authenticity of this script itself.
+# Globals:
+#   GRE
+#   MAG
+#   RED
+# Arguments:
+#   0: Script Name
+#######################################
+verify_script() {
+  declare     dir
+  # shellcheck disable=SC2312
+  dir="$(dirname "$(readlink -f "${0}")")"
+  declare     script; script="$(basename "${0}")"
+  declare -a  algo=( "sha512" )
+  declare     cmd="" computed="" expected="" hashfile="" item="" sigfile=""
+
+  for item in "${algo[@]}"; do
+
+    hashfile="${dir}/${script}.${item}sum.txt"
+    sigfile="${hashfile}.sig"
+    cmd="${item}sum"
+
+    color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
+
+    if ! gpgv --keyring /etc/ciss/keys/"${sigfile}".gpg "${sigfile}" "${hashfile}"; then
+
+      color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
+      color_echo "${RED}" "✘ System Power Off in 3 seconds."
+      power_off 3
+
+    else
+
+      color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
+
+    fi
+
+
+    color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
+
+    declare _=""
+    # shellcheck disable=SC2312
+    read -r computed _ < <("${cmd}" "${dir}/${script}")
+    read -r expected _ < "${hashfile}"
+
+    if [[ "${computed}" != "${expected}" ]]; then
+
+      color_echo "${RED}" "✘ Recomputed hash mismatch for     : [${item}]"
+      color_echo "${RED}" "✘ System Power Off in 3 seconds."
+      power_off 3
+
+    fi
+
+    color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
+
+  done
+
+  color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
+  return 0
+}
+
+#######################################
+# Main Program Sequence.
+# Globals:
+#   CURRENTDATE
+#   DEVICES_LUKS
+#   GRE
+#   MAG
+#   NL
+#   PASSPHRASE
+#   RED
+# Arguments:
+#   None
+#######################################
+main() {
+  exec 1>&2
+
+  trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
+  trap 'trap_on_exit' EXIT
+  trap 'trap_on_term' INT TERM
+
+  uname -a
+
+  printf "%b" "${NL}"
+  color_echo "${RED}" "Coresecret Connection established."
+  color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
+
+  printf "%b" "${NL}"
+  color_echo "${MAG}" "Integrity self-check ..."
+  verify_script
+
+  ### Read newline-separated output into an array.
+  printf "%b" "${NL}"
+  color_echo "${MAG}" "Scanning for LUKS devices ..."
+  # shellcheck disable=SC2312
+  mapfile -t DEVICES_LUKS < <(gather_luks_devices)
+
+  ### If there are no LUKS devices at all, drop to bash.
+  if (( ${#DEVICES_LUKS[@]} == 0 )); then
+    printf "%b" "${NL}"
+    color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
+    drop_bash
+  fi
+
+  ### Extract the 'nuke='-parameter from '/proc/cmdline'.
+  printf "%b" "${NL}"
+  extract_nuke_hash
+
+  ### Read passphrase interactively.
+  read_passphrase
+
+  if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
+
+    secure_unset_pass
+    exit 0
+
+  else
+
+    secure_unset_pass
+
+    printf "%b" "${NL}"
+    color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
+    color_echo "${GRE}" "  No LUKS operations performed. Dropping to bash ..."
+    color_echo "${GRE}" "  To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
+
+    drop_bash
+
+  fi
+}
+
+main "${@}"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh
+
+set -Ceuo pipefail
+
+### Paths
+declare -r SCRIPT="/etc/initramfs-tools/files/unlock_wrapper.sh"
+declare -r KEYFILE="/root/.ciss/keys/dummy_0x12345678_SECRET.asc"
+declare -r GNUPGHOME="/root/.ciss/gnupg"
+
+### Output Files
+declare -r HASH384="${SCRIPT}.sha384"
+declare -r HASH512="${SCRIPT}.sha512"
+declare -r SIG384="${HASH384}.sig"
+declare -r SIG512="${HASH512}.sig"
+
+### Ensure GNUPGHOME exists with secure permissions
+mkdir -p "${GNUPGHOME}"
+chmod 0700 "${GNUPGHOME}"
+
+### Import private key only if not already present
+if ! gpg --homedir "${GNUPGHOME}" --list-secret-keys | grep -q "sec"; then
+  printf "\e[0;92m✅ Importing private key ... \e[0m\n"
+  gpg --homedir "${GNUPGHOME}" --import "${KEYFILE}"
+else
+  printf "\e[0;92m✅ Private key already present in keyring. \e[0m\n"
+fi
+
+### Extract fingerprint of the first secret key
+# shellcheck disable=SC2155
+declare -r FPR=$(gpg --homedir "${GNUPGHOME}" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
+
+if [[ -z "${FPR}" ]]; then
+  printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2
+  exit 1
+fi
+
+printf "\e[0;92m✅ Using GPG key fingerprint: [%s] \e[0m\n" "${FPR}"
+
+### Hashing (only the hash value, no filename)
+printf "\e[0;95m🔢 Generating Hashes ... \e[0m\n"
+
+if sha384sum "${SCRIPT}" | awk '{print $1}' >| "${HASH384}"; then
+  printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH384}" "${SCRIPT}"
+fi
+
+if sha512sum "${SCRIPT}" | awk '{print $1}' >| "${HASH512}"; then
+  printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH512}" "${SCRIPT}"
+fi
+
+printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
+
+### Signing Hashes
+printf "\e[0;95m🔑 Signing hashes ... \e[0m\n"
+
+if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
+  printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
+fi
+
+if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG512}" --detach-sign "${HASH512}"; then
+  printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
+fi
+
+printf "\e[0;92m🔑 Signing hashes done.  \e[0m\n"
+
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
+++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
@@ -0,0 +1,42 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -e
+
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m"
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+mkdir -p "${DESTDIR}/etc"
+
+cat >| "${DESTDIR}/etc/profile" << 'EOF'
+export PS1='$( STATUS=$?; \
+  if [ "${STATUS}" -eq 0 ]; then \
+    printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;92m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
+  else \
+    printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
+  fi; ) '
+EOF
+
+printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
+++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
@@ -0,0 +1,153 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -e
+
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+
+### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
+install -d -m 0755  "${DESTDIR}/etc/ciss/keys"
+install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/conf.d"
+install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+install -d -m 0755  "${DESTDIR}/usr/bin"
+install -d -m 0755  "${DESTDIR}/usr/local/bin"
+install -d -m 0755  "${DESTDIR}/usr/sbin"
+
+
+### Include 'bash' -------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/bash /usr/bin/bash
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"
+
+
+### Include 'blkid' ------------------------------------------------------------------------------------------------------------
+copy_exec /usr/sbin/blkid /usr/sbin/blkid
+printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"
+
+
+### Include 'busybox' ----------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/busybox /usr/bin/busybox
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/bin/busybox] \n\e[0m"
+
+
+### Include 'dmsetup' ----------------------------------------------------------------------------------------------------------
+copy_exec /usr/sbin/dmsetup /usr/sbin/dmsetup
+printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/dmsetup /usr/sbin/dmsetup] \n\e[0m"
+
+
+### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------
+copy_exec /usr/bin/sort /usr/bin/sort
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
+
+
+### Include 'gpgv' -------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/gpgv /usr/bin/gpgv
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"
+
+
+### Include 'lsblk' ------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/lsblk /usr/bin/lsblk
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"
+
+
+### Include 'mkpasswd' ---------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/mkpasswd /usr/mkpasswd
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
+copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
+
+
+### Include 'udevadm' (udev management tool) -----------------------------------------------------------------------------------
+copy_exec /usr/bin/udevadm /usr/bin/udevadm
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"
+
+
+### Include 'sha384sum' 'sha512sum' --------------------------------------------------------------------------------------------
+copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
+copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"
+
+
+### Include 'tree' -------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/tree /usr/bin/tree
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"
+
+
+### Include 'whois' ------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/whois /usr/bin/whois
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"
+
+
+### Link busybox applets for compatibility -------------------------------------------------------------------------------------
+for dir in bin usr/bin; do
+  ln -sf busybox "${DESTDIR}/${dir}/cat"
+  ln -sf busybox "${DESTDIR}/${dir}/sleep"
+done
+
+
+### Install GPG signing keys ---------------------------------------------------------------------------------------------------
+src_dir="/etc/ciss/keys"
+dst_dir="${DESTDIR}/etc/ciss/keys"
+key=""
+
+if [ -d "${src_dir}" ]; then
+
+    install -d -m 0755 "${dst_dir}"
+
+    for key in "${src_dir}"/*.gpg; do
+
+        [ -e "${key}" ] || continue
+
+        install -m 0444 "${key}" "${dst_dir}/"
+
+        printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}"
+
+    done
+
+fi
+
+### Install Dropbear configuration ---------------------------------------------------------------------------------------------
+install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
+
+### Install Dropbear 'cryptroot-unlock'-Wrapper --------------------------------------------------------------------------------
+install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh"
+printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}"
+
+install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512sum.txt"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt %s/usr/local/bin/unlock_wrapper.sh.sha512sum.txt] \n\e[0m" "${DESTDIR}"
+
+install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512sum.txt.sig"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512sum.txt.sig %s/usr/local/bin/unlock_wrapper.sh.sha512sum.txt.sig] \n\e[0m" "${DESTDIR}"
+
+### Install Dropbear Banner ----------------------------------------------------------------------------------------------------
+install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
+
+### EOS
+
+printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/Show More
+++ b/Show More